As someone who is a complete novice, and is trying to learn about how to make websites, Tom Scott has made me terribly afraid of screwing something up and having a massive security hole.
The funniest thing about your videos is when you talk as if you were the server, interpreter, code or whatever! It would be funny as hell if that was the case, imagine trying to do something malicious, and having the server respond "Well, that's wrong. I'm not having that." in Tom's voice!
After just graduating with a Bachelor of Computer Science, I can safely say I would have loved to have this guy as a lecturer; he explains things simply, clearly, interestingly and correctly! I'd like to say a big thanks to the Tom and the Computerphile team for spending their time and effort to make these great videos!
Tom Scott is quickly becoming one of my favourite people on the internet. He's the kind of person i'd have wanted to be best friends with if we'd been kids at the same time and place
I remember 6 years ago (I was 12), I'd mess around with chat rooms for fun. Of course, doing so itself was stupid, but it taught me about modifying post-actions and functions, and also about proper security in how users interact with websites. Basically, I had a plugin that let me edit post data before it was sent to the site. I'd mess around with the chat a few times, see what values changed in the post data, and then figured out what separate parts and values in the data were for. Eventually, I figured out how to modify the sessionID to be the same as other users, so that I didn't have to be in the chat to play around with it. I also learned how to mess with chat servers screen-name authentication, and to modify my screen-name when I was in the chat. Worst-yet, I learned how to modify user-permissions and mess around with the admin-panel login page so that the chat server thought I was an authentic admin that logged in through the admin-panel and let me use admin operations. Of course, at the time I used it for immature things, but I eventually started thinking of ways for how the website could have avoided those problems. That sort of thinking helped inspire me to think in-depth about security in my programming projects.
suit1337 Yes, I know about these issues. I think most of the developers out there enjoy these videos regardless of what they know about the subject. And there is always a chance of learning something new.
suit1337 You do know that web developers can be new to web development right? We don't live in the age where the only way to learn something is through a proper school. You could easily start your web development very small time on your own and be unaware of the basic security flaws...
I'm aware of that - and that is a shocking development in this business. Take another work field for example: someone could not easily start a business as an electrician without proper education - but you can start as a web developer. there are lots of fools around here with no clue, even in the basic properties of the business but they make shitloads of money with their crap that really fills me, doing proper work, with anger --- just an example from my country (austria) - the website of our ex financial minister was priced at 220.000 Euro the website of the agricultural ministry cost about 5,5 Million Euros and those websites are not even closely done properly and get defaced over and over again - instead of blaming the stupid overpriced web developers with no proper education they blame the "bad hackers" a few weeks ago our interior ministry presented a new 100 % hackerproof "student licence" - it was hacked only 3 days after via a very simple SQL injection i hope you understand, that it disturbs me, that every moron with no education can start a new 1 man web agency and start coding with no education in the field at all.
suit1337 I understand this, it's true of anyone who takes pride in their work. It's not really that shocking though. This is true of any business until government steps in to regulate it. I think the true problem lies in the fact that Web Development is an all encompassing term even though it has several aspects: Design, Functionality, Reliability, Marketability, and, of course, Security. From what I've seen most people think these are the same, though many have started to separate design.
These are some of my favorite vids on computerphile! Security issues affect everyone and we need more clear explanations. I'd love for Tom to tackle jailbreaking.
This video inspired me to try to "steal" my CSRF token (as if I was trying to hack my own account). I the process I reinvented cross-origin HTTP requests and clickjacking. Turns out both this attacks are well-known and defended against.
It's good having an episode of computerphile, mainly because the intricate and important details in computer are _so complicated_ even though I (thought) that I knew about computers. This kinda gives me a foundation. Also you should probably talk about logic gates, whether it's minecraft or whatnot, they explain how you could have to light switches for one light
Just wanting to let you guys not know that you are doing a great job I love watching your videos and always get excited when I see that you posted another one. I'm 16 years old and enjoy programming but thoose videos add another point of view to it and really get you thinking Greetings from Germany
Oh wow. It's funny seeing people writing about how they implemented a 'nonse'. If only they they knew. This was a great video! Tom is always so enthusiastic, it's great! One request would be making the felt tipped pen sound quieter/non existent. It makes my toes curl!
Holy crap! While I have enjoyed these videos since the start of computerphile, this is the first time I directly learned, or more rightly, realized something. I do have webpages that are badly coded like this. Time to go off and fix!
The tale in the beginning about POST and GET requests is a bit of an ideal case too. Many sites actually work just as well if instead of a GET request you make a POST request with the same content, or vice versa.
these videos jus seem to come right after i've implemented something for a project in my courses ... Thank you for informing me of these things, heavens knows I'll need them in the field
Can't i just load the other form in an invisible Iframe and then parse and search through the html retrieved? Use the token info and create my own form.
The easiest way to get around most of these: Use a solid framework which helps prevent all these attack types. Take Ruby on Rails for example. While not perfect, the latest version is pretty good at avoiding SQL injection, XSS, and CSRF, along with other built in things, like secure cookies, and proper storage of passwords... with a framework doing most of the basic stuff, it's up to the developer not to do anything stupid.
This is indeed a big security hole. I did not know what CSRF did before so I couldn't apply a patch to my site. I can now though. Thanks Tom/Numberphile. Nicely explained :)
Here's one consideration on how important it is to validate user input on the server side. Take any disabled html element. Open up firebug console and run some javascript, eg. using jQuery syntax: $('input').removeAttr('disabled'); $('input').removeAttr('readonly');. Then happily make any changes to the input elements and submit the changes.
It's also a good idea to add the action to the seed which generates the nonce, so the nonce to post a comment is different from the one which allows you to delete your account. If you combine that with the username and set a short timeout the users needs to have been on the form which does the action, somehow you need to be able to steal that nonce and get them to go to your infected page. It's basically no longer a security issue in that case. When someone loads a form they usually intend to fill it out and you could even track when they leave the form to immediately invalidate the nonce.
Great Video. As a novice web developer these videos help immensely. Keep them coming. A video on how to design a site which can be logged into securely would be very helpful.
I have heard about this before, but there's a simple way around it. The problem with it is that the same malicious form on the unrelated blog can still submit a page request on the target site and grab the token before submitting to the page that actually does the damage. All it takes is a little bit of PHP knowledge, some knowledge of HTTP request headers, and a little ingenuity. Still, it's good to know how and why to do this.
I've been looking for a video that I can send to my non-techie friends to give them slight idea about XSRF. This video is what I've seen so far that's lay-man friendly.
Learning about this sort of thing really helps me understand *why* we covered all that stuff in Security class. At first glance it's like "oh jeez, look at all these layers upon layers of authentication, authorization, validation, validation-of-the-validation..." but these sorts of clever attacks are why. I didn't even know this sort of thing was possible.
cross-site scripting is blocked in browsers as a simple example, say i have a site with a bunch of livestream embeds, and i set up a script that when i press F2, it scrolls to my favourite one As soon as i click inside any of the streams, say the play button.., F2 won't work and it'll continue to not work until i click outside again, giving focus back to my own page The only way they can load the bank would be to actually load the bank visibly to you, because you're the only one that can interact with it.. the scripts can't..., not theirs anyway
I think that what you are saying is incorrect, i have done some coding with AJAX(Asynchronous JavaScript and XML) and it didn't need to be visible to be able to load. and almost every page on the internet gets data from other sites invisible(i once had a chrome extension that showed which site you visited and where they took data from, an average site connected to more than 20 different websites(like for tracking: google analytic)
oh do you mean, that even for the request of the forum not only the submission needs to be accompany by the token? That would make more sense and would solve that problem, thanks
Awesome...never even thought of such security issue...I think chrome's sandboxing of the tabs won't help here coz I have seen the sessions and cookies are shared across tabs....Keep it coming - love the videos
I simply love all the Tom's videos, very well explained. Keep going with the good content, Mr. Red T-shirt haha - I don't know if it is intentional or not, so I don't want to be a jerk. :p.
And here's the third one... Tom great as always. By the way, with Django framework the way to prevent it is as simple and comfortable as adding {% csrf_token %} inside the form tag =).
Ya know, if accepting request from other website would work, then the form would likely be accessible by javascript running from the other website as well. Which means, my javascript could request the form, look for that random string of characters (fairly easily too) and add it to its spoofed request, meaning we would be back to square one.
Awesome Video, Systems security is to my mind the best subject to do videos on, keep doing that, this is very interesting, very useful ! Keep UP that good work
I get the concept of the token, but how does the server know if a token is valid once it gets the request? Since the web is stateless, it creates the form with a random token, then sends it on its way. So how does the server know if a token it gets back is valid? Store valid tokens in memory or a database?
Couldn't you get around the one-time key thing by creating a hidden/tiny/offscreen (i)frame for the ‘transfer money’ form on the bank website, and then use JavaScript to automatically submit the form?
Being able to create your own version of a form a send that is a problem in general, as you could also strip out any checks in the original form you don't like.
You can easily get around the random number thing just by making a PHP request to the site and grabbing that form element and inserting it right into your page! Then the random token will be correct everytime because the data is coming directly from the server.
Speaking of account deletion, it's even safer to create a token and *not* return it directly to the user, but send an e-mail containing a link with this token.
great explanation with a fantastic example! at the end you talked about how we should check if a token is being sent - how can we do this? is it just making sure we have the https instead of http in the URL?
I love how passionate Tom is about this. You can really see it in his face and hear it in his voice.
Tom, I'm never going to your blog, that's for sure now.
As someone who is a complete novice, and is trying to learn about how to make websites, Tom Scott has made me terribly afraid of screwing something up and having a massive security hole.
The funniest thing about your videos is when you talk as if you were the server, interpreter, code or whatever! It would be funny as hell if that was the case, imagine trying to do something malicious, and having the server respond "Well, that's wrong. I'm not having that." in Tom's voice!
After just graduating with a Bachelor of Computer Science, I can safely say I would have loved to have this guy as a lecturer; he explains things simply, clearly, interestingly and correctly! I'd like to say a big thanks to the Tom and the Computerphile team for spending their time and effort to make these great videos!
"But since then, it's got a bit more complicated"
-Tom Scott, 2013, describing the internet and the history of the universe in one sentence.
"My hand has lower ambitions than my brain does"
Yeaaah I know the feel...
Please, don't ever stop making these.
Tom Scott is quickly becoming one of my favourite people on the internet. He's the kind of person i'd have wanted to be best friends with if we'd been kids at the same time and place
Tom is probably my favorite person on this channel. I just love the way he talks and I love the topics he has.
I remember 6 years ago (I was 12), I'd mess around with chat rooms for fun. Of course, doing so itself was stupid, but it taught me about modifying post-actions and functions, and also about proper security in how users interact with websites.
Basically, I had a plugin that let me edit post data before it was sent to the site. I'd mess around with the chat a few times, see what values changed in the post data, and then figured out what separate parts and values in the data were for. Eventually, I figured out how to modify the sessionID to be the same as other users, so that I didn't have to be in the chat to play around with it. I also learned how to mess with chat servers screen-name authentication, and to modify my screen-name when I was in the chat. Worst-yet, I learned how to modify user-permissions and mess around with the admin-panel login page so that the chat server thought I was an authentic admin that logged in through the admin-panel and let me use admin operations.
Of course, at the time I used it for immature things, but I eventually started thinking of ways for how the website could have avoided those problems. That sort of thinking helped inspire me to think in-depth about security in my programming projects.
These Tom Scott videos are so addictive, I can't stop watching! xD
Being a web-developer I highly enjoy this series. Tom really knows what he is talking about, and I just love the enthusiasm.
it disturbs me, that you're a web-developer and enjoy this :) you should already know all these issues
suit1337 Yes, I know about these issues. I think most of the developers out there enjoy these videos regardless of what they know about the subject. And there is always a chance of learning something new.
suit1337 You do know that web developers can be new to web development right? We don't live in the age where the only way to learn something is through a proper school. You could easily start your web development very small time on your own and be unaware of the basic security flaws...
I'm aware of that - and that is a shocking development in this business. Take another work field for example: someone could not easily start a business as an electrician without proper education - but you can start as a web developer.
there are lots of fools around here with no clue, even in the basic properties of the business but they make shitloads of money with their crap
that really fills me, doing proper work, with anger
---
just an example from my country (austria)
- the website of our ex financial minister was priced at 220.000 Euro
the website of the agricultural ministry cost about 5,5 Million Euros
and those websites are not even closely done properly and get defaced over and over again - instead of blaming the stupid overpriced web developers with no proper education they blame the "bad hackers"
a few weeks ago our interior ministry presented a new 100 % hackerproof "student licence" - it was hacked only 3 days after via a very simple SQL injection
i hope you understand, that it disturbs me, that every moron with no education can start a new 1 man web agency and start coding with no education in the field at all.
suit1337 I understand this, it's true of anyone who takes pride in their work. It's not really that shocking though. This is true of any business until government steps in to regulate it.
I think the true problem lies in the fact that Web Development is an all encompassing term even though it has several aspects: Design, Functionality, Reliability, Marketability, and, of course, Security. From what I've seen most people think these are the same, though many have started to separate design.
These are some of my favorite vids on computerphile! Security issues affect everyone and we need more clear explanations. I'd love for Tom to tackle jailbreaking.
Got an exam on this tomorrow, this was so helpful for me, thanks! The way you explain things makes them easily accessible
This video inspired me to try to "steal" my CSRF token (as if I was trying to hack my own account). I the process I reinvented cross-origin HTTP requests and clickjacking. Turns out both this attacks are well-known and defended against.
It's good having an episode of computerphile, mainly because the intricate and important details in computer are _so complicated_ even though I (thought) that I knew about computers. This kinda gives me a foundation.
Also you should probably talk about logic gates, whether it's minecraft or whatnot, they explain how you could have to light switches for one light
Just wanting to let you guys not know that you are doing a great job I love watching your videos and always get excited when I see that you posted another one.
I'm 16 years old and enjoy programming but thoose videos add another point of view to it and really get you thinking
Greetings from Germany
These are awesome. This guy makes Computerphile the channel I look forward to. More of him.
Oh wow. It's funny seeing people writing about how they implemented a 'nonse'. If only they they knew. This was a great video! Tom is always so enthusiastic, it's great! One request would be making the felt tipped pen sound quieter/non existent. It makes my toes curl!
Word! That is even worse in Numberphile.
I know little about IT or programming, but your videos are always very informative and easy to understand, so thanks!
Great and informative video as always. Loving the amount of Tom on this channel.
Holy crap! While I have enjoyed these videos since the start of computerphile, this is the first time I directly learned, or more rightly, realized something. I do have webpages that are badly coded like this. Time to go off and fix!
This guy is an excellent presenter. Please, more of him.
I always wondered how Wordpress' nonce hash works. Thanks for the enlightenment!
Great, now i've got to rewrite the project i'm working on. I didn't know about this and it's so obvious. Good video!
If you have to rewrite a project to protect against CSRF attacks you are doing other things wrong as well
Rewrite? That sounds a bit like overkill. Just add a nonce token and you're as good as you'll get.
You'd be surprised how many web devs don't know about this in 2023
This was really interesting. I was aware of cross-site-scripting and sql Injection but I had never heard of this. Thanks :)
Tom, You are the best. Keep making those excellent videos.
The tale in the beginning about POST and GET requests is a bit of an ideal case too. Many sites actually work just as well if instead of a GET request you make a POST request with the same content, or vice versa.
these videos jus seem to come right after i've implemented something for a project in my courses ... Thank you for informing me of these things, heavens knows I'll need them in the field
This is great! :D I love the way Tom explains advanced terms in really simple ideas
This channel is absolutely amazing!
Great explanation, I did know this sort of attack existed but had never given much thought about how to mitigate it.
Ironically I saw "nonce" today in a code and I thought someone didn't follow code standard for nOnce or n_once. Now I know what they meant.
Very informative and explained in a simple and understandable manner. That's why Tom is my favorite, though I enjoy watching the others, too!
This mini series on security is just wonderfull. Love the content, love the voice, it's just great.
Can't i just load the other form in an invisible Iframe and then parse and search through the html retrieved? Use the token info and create my own form.
Best quality of explaining anything ever possible!! Thanks A TONNN!
Excellent description of XSRF. Thank you. I understand the concept and defenses now.
Thank you Dawson from Dawson's Creek!
The easiest way to get around most of these: Use a solid framework which helps prevent all these attack types. Take Ruby on Rails for example. While not perfect, the latest version is pretty good at avoiding SQL injection, XSS, and CSRF, along with other built in things, like secure cookies, and proper storage of passwords... with a framework doing most of the basic stuff, it's up to the developer not to do anything stupid.
This is indeed a big security hole. I did not know what CSRF did before so I couldn't apply a patch to my site. I can now though. Thanks Tom/Numberphile. Nicely explained :)
Here's one consideration on how important it is to validate user input on the server side. Take any disabled html element. Open up firebug console and run some javascript, eg. using jQuery syntax: $('input').removeAttr('disabled'); $('input').removeAttr('readonly');. Then happily make any changes to the input elements and submit the changes.
What a great tutor, very well explained!
Nice video ! I already heard about it but I didn't understood everything, so you've made the web a safer place !
Very helpful. I liked both the content and the way you described the CSRF. Thanks!!
Actually learned this now by the video. Quite interesting and will eb sure to include this in serious projects in the future.
This guy is amazing! More videos by him please!
Awesome video,great help.
I'm always waiting for your new videos .
still relevant even nowadays how beautiful
I've just watched the video, it was really helpful on my course! Thanks! 🙂
Love your videos! I will doing web computing in September at uni and these videos are excellent! Thanks
It's also a good idea to add the action to the seed which generates the nonce, so the nonce to post a comment is different from the one which allows you to delete your account. If you combine that with the username and set a short timeout the users needs to have been on the form which does the action, somehow you need to be able to steal that nonce and get them to go to your infected page. It's basically no longer a security issue in that case. When someone loads a form they usually intend to fill it out and you could even track when they leave the form to immediately invalidate the nonce.
Another great video guys, looking forward to more cool explanations. Keep up the awesome work!
Great Video. As a novice web developer these videos help immensely. Keep them coming. A video on how to design a site which can be logged into securely would be very helpful.
I love this guy please keep making more videos with him
Excellent explanation in simplest terms!
I have heard about this before, but there's a simple way around it. The problem with it is that the same malicious form on the unrelated blog can still submit a page request on the target site and grab the token before submitting to the page that actually does the damage. All it takes is a little bit of PHP knowledge, some knowledge of HTTP request headers, and a little ingenuity. Still, it's good to know how and why to do this.
I've been looking for a video that I can send to my non-techie friends to give them slight idea about XSRF. This video is what I've seen so far that's lay-man friendly.
Learning about this sort of thing really helps me understand *why* we covered all that stuff in Security class. At first glance it's like "oh jeez, look at all these layers upon layers of authentication, authorization, validation, validation-of-the-validation..." but these sorts of clever attacks are why. I didn't even know this sort of thing was possible.
I know this is not relevant to this video, but can you do a video on elliptic curve RSA cryptography?
Why does the camera randomly zoom in some times? it's really distracting.
Tom is good, a very good presenter.
this still goes under the radar 10y later btw
but what if the malicious webpage itself loads the bank site in the background, it can get the token that way.
cross-site scripting is blocked in browsers
as a simple example, say i have a site with a bunch of livestream embeds, and i set up a script that when i press F2, it scrolls to my favourite one
As soon as i click inside any of the streams, say the play button.., F2 won't work
and it'll continue to not work until i click outside again, giving focus back to my own page
The only way they can load the bank would be to actually load the bank visibly to you, because you're the only one that can interact with it..
the scripts can't..., not theirs anyway
I think that what you are saying is incorrect, i have done some coding with AJAX(Asynchronous JavaScript and XML) and it didn't need to be visible to be able to load.
and almost every page on the internet gets data from other sites invisible(i once had a chrome extension that showed which site you visited and where they took data from, an average site connected to more than 20 different websites(like for tracking: google analytic)
I think that the token will be different because it is another loading/creation of the form.
what do you mean other loading/creation of the form, it is not, the site downloads the form and the token, and then sends it back to the bank
oh do you mean, that even for the request of the forum not only the submission needs to be accompany by the token? That would make more sense and would solve that problem, thanks
Awesome...never even thought of such security issue...I think chrome's sandboxing of the tabs won't help here coz I have seen the sessions and cookies are shared across tabs....Keep it coming - love the videos
Will Tom be a regular? His bits are great.
I simply love all the Tom's videos, very well explained.
Keep going with the good content, Mr. Red T-shirt haha - I don't know if it is intentional or not, so I don't want to be a jerk. :p.
I'm a web developer and I didn't know the solution. Thank you very much.
you request the token with your script
and later in the script you use that token
easy if the form is standardized-like deleting enemy facebook pages
So...what the hell does nonce mean in Britain?
And here's the third one... Tom great as always.
By the way, with Django framework the way to prevent it is as simple and comfortable as adding {% csrf_token %} inside the form tag =).
Ya know, if accepting request from other website would work, then the form would likely be accessible by javascript running from the other website as well.
Which means, my javascript could request the form, look for that random string of characters (fairly easily too) and add it to its spoofed request, meaning we would be back to square one.
Awesome Video, Systems security is to my mind the best subject to do videos on, keep doing that, this is very interesting, very useful ! Keep UP that good work
been waiting for this video
Thanks for the video. This is really useful.
This guy's videos are brilliant! Web security and hacking is so interesting. :)
I get the concept of the token, but how does the server know if a token is valid once it gets the request? Since the web is stateless, it creates the form with a random token, then sends it on its way. So how does the server know if a token it gets back is valid? Store valid tokens in memory or a database?
I love these videos, thank you.
It just gets better!
Interesting as always!
Damn. Your /delete?confirm=true statement was a 100% hit. Gotta rename my parameters ;D
Ohhhhhh, so that's what the nonce thing is. Thanks Tom!
Lucky for me, I have learnt this in first class of my education.
FIRST!!! computerphile, teaching web attacks since '13
Thanks for helping me learn the valuable lesson of what a 'nonce' is in UK.
thanks for this magnificent explanation!
Couldn't you get around the one-time key thing by creating a hidden/tiny/offscreen (i)frame for the ‘transfer money’ form on the bank website, and then use JavaScript to automatically submit the form?
Being able to create your own version of a form a send that is a problem in general, as you could also strip out any checks in the original form you don't like.
Brilliant Video!
Awesome and clear explanation!
Tom Scott, I want to visit your awesome blog.
You can easily get around the random number thing just by making a PHP request to the site and grabbing that form element and inserting it right into your page! Then the random token will be correct everytime because the data is coming directly from the server.
Ty for those lessons, they are so cool!!!
Love this guy! Great video(s)!
Really interesting! But how do you know if your bank, etc. is using the token system? Also, can we get a computerphile video explaining bitcoin?
Speaking of account deletion, it's even safer to create a token and *not* return it directly to the user, but send an e-mail containing a link with this token.
Can you explain this more? I think I get what you're getting at but please explain.
Fuogger You may know this from several websites, when you have to click a link inside of an e-mail to confirm your action.
Hmmmm, time to add that to my project! :P Thank you Computerphile!
great explanation with a fantastic example! at the end you talked about how we should check if a token is being sent - how can we do this? is it just making sure we have the https instead of http in the URL?
Code Snippets Academy No that's obviously not enough :/
I just learned about nonces yesterday and implemented one ;)