0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/400 Thanks! 1 00:00:12,060 --> 00:00:14,579 Before I begin, I have a personal 2 00:00:14,580 --> 00:00:16,919 note, this will be my first ever, 3 00:00:16,920 --> 00:00:19,049 and I wonder if I can take a picture with 4 00:00:19,050 --> 00:00:20,609 you all the fine. 5 00:00:20,610 --> 00:00:21,610 Yeah. 6 00:00:23,300 --> 00:00:25,369 Fine by me, fine by me, 7 00:00:25,370 --> 00:00:27,439 just the SEC and 8 00:00:27,440 --> 00:00:28,610 everybody say, fuck, Bill. 9 00:00:33,330 --> 00:00:33,869 That's nice. 10 00:00:33,870 --> 00:00:34,870 OK, 11 00:00:36,390 --> 00:00:38,879 so today 12 00:00:38,880 --> 00:00:41,039 I obviously going to talk about Bill, so 13 00:00:41,040 --> 00:00:42,840 let's not Bill, 14 00:00:44,340 --> 00:00:46,040 it's coding style sucks. 15 00:00:47,910 --> 00:00:50,039 It's OPIS sucks. 16 00:00:52,890 --> 00:00:55,469 It's not a type's sucks 17 00:00:55,470 --> 00:00:57,540 bad, but 18 00:00:59,250 --> 00:01:02,009 it is since late 87, 19 00:01:02,010 --> 00:01:03,659 many legacy systems. 20 00:01:03,660 --> 00:01:04,559 That's right. 21 00:01:04,560 --> 00:01:06,869 Many legacy systems use it, most 22 00:01:06,870 --> 00:01:08,819 sysadmins use it. 23 00:01:08,820 --> 00:01:12,089 And unfortunately, unfortunately, 24 00:01:12,090 --> 00:01:14,290 too many security experts use it. 25 00:01:16,050 --> 00:01:17,339 And if you want to summarize it in a 26 00:01:17,340 --> 00:01:20,099 quote, Bill 27 00:01:20,100 --> 00:01:22,199 is worse than Python because 28 00:01:22,200 --> 00:01:25,049 people wanted it was Lalibela, 29 00:01:25,050 --> 00:01:27,389 the creator of the programing language. 30 00:01:34,580 --> 00:01:36,709 A lot of people enthusiastic in 31 00:01:36,710 --> 00:01:39,199 the crowd, so let's talk about 32 00:01:39,200 --> 00:01:40,200 other types. 33 00:01:41,370 --> 00:01:43,529 At first glance, those 34 00:01:43,530 --> 00:01:45,719 are just regular Skylar's, you already 35 00:01:45,720 --> 00:01:48,479 know, in string's float's, 36 00:01:48,480 --> 00:01:50,579 etc., they even look like skulls 37 00:01:50,580 --> 00:01:52,079 using these Syntex. 38 00:01:52,080 --> 00:01:54,359 Then we had eles. 39 00:01:54,360 --> 00:01:56,519 Those are just regular ladies, 40 00:01:56,520 --> 00:01:58,739 those squiggly blankets and pretty much 41 00:01:58,740 --> 00:02:00,539 looks like this. 42 00:02:00,540 --> 00:02:03,119 And finally, we had dictionaries. 43 00:02:03,120 --> 00:02:05,489 Those are just regular dictionaries 44 00:02:05,490 --> 00:02:07,979 in there called HaShas. 45 00:02:07,980 --> 00:02:10,168 They use Kennedy Blackett and looks 46 00:02:10,169 --> 00:02:11,579 like this. 47 00:02:11,580 --> 00:02:13,439 So far, so good. 48 00:02:13,440 --> 00:02:15,599 The syntax is understandable and 49 00:02:15,600 --> 00:02:18,059 everything works the way it should. 50 00:02:18,060 --> 00:02:19,060 But 51 00:02:20,280 --> 00:02:22,439 but we forgot 52 00:02:22,440 --> 00:02:23,609 something. 53 00:02:23,610 --> 00:02:25,769 What about lists? 54 00:02:25,770 --> 00:02:26,979 So let's talk about lists. 55 00:02:28,170 --> 00:02:29,969 Let's take the following code as an 56 00:02:29,970 --> 00:02:31,569 example for the list. 57 00:02:31,570 --> 00:02:33,779 The section marked in bright yellow 58 00:02:33,780 --> 00:02:35,849 is the actual list 59 00:02:35,850 --> 00:02:37,979 will assign the list into an essay and 60 00:02:37,980 --> 00:02:40,049 then print its first element, which 61 00:02:40,050 --> 00:02:42,239 is obviously one 62 00:02:42,240 --> 00:02:43,799 letter signed the list into a scholarly 63 00:02:43,800 --> 00:02:45,959 note. We expect this 64 00:02:45,960 --> 00:02:48,059 will only use the first element of the 65 00:02:48,060 --> 00:02:50,219 list and that one will be printed 66 00:02:50,220 --> 00:02:52,739 out like in every other 67 00:02:52,740 --> 00:02:55,019 normal language, but 68 00:02:55,020 --> 00:02:57,149 not in Perl, which uses 69 00:02:57,150 --> 00:02:58,799 the last element of a list. 70 00:02:58,800 --> 00:03:00,300 In that case, see 71 00:03:01,650 --> 00:03:02,650 what? 72 00:03:05,060 --> 00:03:06,529 OK. OK. 73 00:03:06,530 --> 00:03:08,899 Although that only happens 74 00:03:08,900 --> 00:03:11,029 unless we cast the list 75 00:03:11,030 --> 00:03:13,459 as the scholar, in which case instead 76 00:03:13,460 --> 00:03:15,349 of printing see like the previous 77 00:03:15,350 --> 00:03:17,869 example, it'll bring to five 78 00:03:17,870 --> 00:03:19,639 the number of elements in the list. 79 00:03:21,270 --> 00:03:22,270 What's. 80 00:03:25,250 --> 00:03:27,559 Now, let's assign the list 81 00:03:27,560 --> 00:03:29,869 into a hash, the 82 00:03:29,870 --> 00:03:32,029 expected behavior is that this 83 00:03:32,030 --> 00:03:34,519 Syntex will throw an exception 84 00:03:34,520 --> 00:03:36,709 or at least bring undefined 85 00:03:36,710 --> 00:03:40,269 when we actually use the hash, but 86 00:03:40,270 --> 00:03:42,349 managed to treat that as a hash 87 00:03:42,350 --> 00:03:44,989 somehow, and B, 88 00:03:44,990 --> 00:03:47,269 even though it's not resembling any 89 00:03:47,270 --> 00:03:49,699 sort of hashing syntax and they even 90 00:03:49,700 --> 00:03:52,099 have a fucking uneven number 91 00:03:52,100 --> 00:03:53,659 of elements. 92 00:03:53,660 --> 00:03:54,660 What? 93 00:03:58,440 --> 00:04:00,659 But we'll dove into this behavior later. 94 00:04:00,660 --> 00:04:02,129 Meanwhile, it's important that you 95 00:04:02,130 --> 00:04:04,379 understand that this happens 96 00:04:04,380 --> 00:04:06,539 because at least is not a data 97 00:04:06,540 --> 00:04:09,449 type, it's just an expression 98 00:04:09,450 --> 00:04:10,879 obviously created to confuse us. 99 00:04:12,510 --> 00:04:14,609 So after we saw at 100 00:04:14,610 --> 00:04:16,078 least that a potential source for 101 00:04:16,079 --> 00:04:18,268 problems, we thought, wait, how can 102 00:04:18,269 --> 00:04:19,919 we even control the list? 103 00:04:19,920 --> 00:04:21,778 Well, one obvious way is to look around 104 00:04:21,779 --> 00:04:23,129 the CGI model. 105 00:04:23,130 --> 00:04:24,869 It's a core module responsible for 106 00:04:24,870 --> 00:04:27,389 processing and preparing HTP requests 107 00:04:27,390 --> 00:04:28,619 and responses. 108 00:04:28,620 --> 00:04:30,869 Its data arrives from the user using 109 00:04:30,870 --> 00:04:33,029 HTP Palmettos and most, 110 00:04:33,030 --> 00:04:35,369 if not all Web applications 111 00:04:35,370 --> 00:04:36,539 use it. 112 00:04:36,540 --> 00:04:38,609 Also, like any other thing 113 00:04:38,610 --> 00:04:40,739 in Perl, it's been there for 15 114 00:04:40,740 --> 00:04:41,669 years. 115 00:04:41,670 --> 00:04:43,799 So let's take the following code that 116 00:04:43,800 --> 00:04:46,199 brings the content of the full and bug 117 00:04:46,200 --> 00:04:47,969 HTP parameters. 118 00:04:47,970 --> 00:04:50,249 It will send this regular request 119 00:04:50,250 --> 00:04:52,349 where one is assigned to full and A is 120 00:04:52,350 --> 00:04:54,569 assigned to. Bob will see that one 121 00:04:54,570 --> 00:04:56,849 and a outpointed 122 00:04:56,850 --> 00:04:58,319 as expected. 123 00:04:58,320 --> 00:05:00,539 But what will happen 124 00:05:00,540 --> 00:05:02,669 if we send this request that 125 00:05:02,670 --> 00:05:05,519 contains the same palmettos twice? 126 00:05:05,520 --> 00:05:07,569 The logical thing to think is that we 127 00:05:07,570 --> 00:05:09,419 will only take the first last ones once 128 00:05:09,420 --> 00:05:11,669 so we see the exact same thing 129 00:05:11,670 --> 00:05:12,989 happen again. 130 00:05:12,990 --> 00:05:15,329 But as we already saw, 131 00:05:15,330 --> 00:05:17,819 Perl and Logic aren't mixing 132 00:05:17,820 --> 00:05:19,829 well together. And in fact, we'll 133 00:05:19,830 --> 00:05:22,499 actually see two different lists 134 00:05:22,500 --> 00:05:24,059 being printed. 135 00:05:24,060 --> 00:05:26,169 That's right. If it was multi value in 136 00:05:26,170 --> 00:05:28,349 nature to people, Mr. Bell just makes 137 00:05:28,350 --> 00:05:30,299 at least out of it. 138 00:05:30,300 --> 00:05:32,819 But what does the documentation 139 00:05:32,820 --> 00:05:34,259 have to say about that? 140 00:05:34,260 --> 00:05:35,999 Well, this is the this is a screenshot 141 00:05:36,000 --> 00:05:37,379 from the official documentation. 142 00:05:37,380 --> 00:05:37,919 It's spelled. 143 00:05:37,920 --> 00:05:40,049 OK, can you see the full gamut 144 00:05:40,050 --> 00:05:41,429 now? 145 00:05:41,430 --> 00:05:43,949 How about now, Stilo? 146 00:05:43,950 --> 00:05:44,950 How about now. 147 00:05:45,930 --> 00:05:47,369 That's right. According to the 148 00:05:47,370 --> 00:05:49,469 documentation you can ask to 149 00:05:49,470 --> 00:05:51,389 receive an array. 150 00:05:51,390 --> 00:05:53,219 How do you ask for anything. 151 00:05:53,220 --> 00:05:55,319 Well you don't ask for 152 00:05:55,320 --> 00:05:57,419 not annotate because the list is the 153 00:05:57,420 --> 00:05:59,069 default fucking value in case of a 154 00:05:59,070 --> 00:06:00,689 multivariate parameter. 155 00:06:00,690 --> 00:06:01,690 What. 156 00:06:04,030 --> 00:06:06,339 But what does all this to say about 157 00:06:06,340 --> 00:06:08,709 that, according to them, CJI 158 00:06:08,710 --> 00:06:10,419 module only takes the first documents 159 00:06:10,420 --> 00:06:12,549 only. Well, in reality it returns a list 160 00:06:12,550 --> 00:06:14,949 of occurrences that makes both 161 00:06:14,950 --> 00:06:17,019 the documentation and the US blind 162 00:06:17,020 --> 00:06:18,699 to the idea of an HTP parlamento 163 00:06:18,700 --> 00:06:19,809 pollution attack. 164 00:06:19,810 --> 00:06:21,399 And there's a follow up misleader. 165 00:06:21,400 --> 00:06:23,380 Every programmer who reads them. 166 00:06:24,690 --> 00:06:27,029 So let's start abusing 167 00:06:27,030 --> 00:06:29,459 lists, let's create a list 168 00:06:29,460 --> 00:06:31,559 and the hash, as you can see, 169 00:06:31,560 --> 00:06:33,419 the value of the key is the list we've 170 00:06:33,420 --> 00:06:34,439 created. 171 00:06:34,440 --> 00:06:36,089 It will print the hash. 172 00:06:36,090 --> 00:06:38,399 We'll expect something like this 173 00:06:38,400 --> 00:06:39,359 to happen. 174 00:06:39,360 --> 00:06:41,939 One of the key is assigned 175 00:06:41,940 --> 00:06:44,169 the date we've created. 176 00:06:44,170 --> 00:06:46,679 But in reality, 177 00:06:46,680 --> 00:06:48,959 the hash actually looks like 178 00:06:48,960 --> 00:06:51,179 this with the second element 179 00:06:51,180 --> 00:06:53,309 used as the key name. 180 00:06:53,310 --> 00:06:55,919 And the third element is a value assigned 181 00:06:55,920 --> 00:06:56,920 what's. 182 00:07:02,780 --> 00:07:05,029 That happens because at least 183 00:07:05,030 --> 00:07:07,759 in hash is considered an extension 184 00:07:07,760 --> 00:07:09,889 to the hash, if it was 185 00:07:09,890 --> 00:07:12,289 all just political move, 186 00:07:12,290 --> 00:07:14,719 although that's 187 00:07:14,720 --> 00:07:17,629 actually known since 2006, 188 00:07:17,630 --> 00:07:19,939 yet it got no attention 189 00:07:19,940 --> 00:07:22,339 and no vulnerabilities, or at least 190 00:07:22,340 --> 00:07:24,649 using this Grilk, no 191 00:07:24,650 --> 00:07:27,079 vulnerabilities with such an easy 192 00:07:27,080 --> 00:07:28,909 to miss quick. 193 00:07:28,910 --> 00:07:30,679 So let's recap for a sec. 194 00:07:30,680 --> 00:07:32,779 We know already lists are 195 00:07:32,780 --> 00:07:34,999 fucked up because they'll just 196 00:07:35,000 --> 00:07:36,289 plain expression's. 197 00:07:36,290 --> 00:07:38,959 That's considered a Siddharta type. 198 00:07:38,960 --> 00:07:41,059 We know Sedigh Barometer's can 199 00:07:41,060 --> 00:07:43,789 become lists if we'll send multivolume 200 00:07:43,790 --> 00:07:44,869 palmettos. 201 00:07:44,870 --> 00:07:46,939 And we know that if we take a list and 202 00:07:46,940 --> 00:07:49,159 place it inside the hash, it will expand 203 00:07:49,160 --> 00:07:51,169 and become part of that. 204 00:07:51,170 --> 00:07:53,749 And finally, and most importantly, 205 00:07:53,750 --> 00:07:55,969 all of this is barely known 206 00:07:55,970 --> 00:07:58,909 and is super easy to miss when coding. 207 00:07:58,910 --> 00:08:01,220 So what the fuck are we going to exploit? 208 00:08:02,460 --> 00:08:05,519 But, Gizella, that maxilla, 209 00:08:05,520 --> 00:08:08,219 the one that manages bugs for the Linux, 210 00:08:08,220 --> 00:08:11,189 Mozilla Foundation, Reddit, Mediaweek, 211 00:08:11,190 --> 00:08:13,259 the Gnome Eclipse, OpenOffice 212 00:08:13,260 --> 00:08:15,449 and dozens of other companies 213 00:08:15,450 --> 00:08:17,579 in maxilla, some privileges are 214 00:08:17,580 --> 00:08:19,679 given via a spill formed on 215 00:08:19,680 --> 00:08:21,899 them and others, for example, and 216 00:08:21,900 --> 00:08:23,699 use on the Mozilla dot org gained 217 00:08:23,700 --> 00:08:25,019 privileges, allows it to view 218 00:08:25,020 --> 00:08:27,269 confidential folfox bugs and 219 00:08:27,270 --> 00:08:29,729 you use their get validated prior 220 00:08:29,730 --> 00:08:32,189 to the actual registration, using 221 00:08:32,190 --> 00:08:34,709 an email sent to its mailbox 222 00:08:34,710 --> 00:08:36,819 containing a token used for continuing 223 00:08:36,820 --> 00:08:38,908 registration in order to validate the 224 00:08:38,909 --> 00:08:39,869 address. 225 00:08:39,870 --> 00:08:41,428 It makes sense. 226 00:08:41,429 --> 00:08:43,589 After the user enters the token, it's 227 00:08:43,590 --> 00:08:45,879 asked to provide a password and every 228 00:08:45,880 --> 00:08:48,209 name for its new account. 229 00:08:48,210 --> 00:08:50,450 Then this code happens. 230 00:08:51,600 --> 00:08:54,209 This is the code for the user creation. 231 00:08:54,210 --> 00:08:56,309 It uses the Chehade function from 232 00:08:56,310 --> 00:08:58,559 the back Zila user package 233 00:08:58,560 --> 00:09:00,869 and insert a dictionary containing 234 00:09:00,870 --> 00:09:02,999 the login name, which is the user email 235 00:09:03,000 --> 00:09:05,309 address after it's already validated 236 00:09:05,310 --> 00:09:06,959 the password. This is Kalala from the 237 00:09:06,960 --> 00:09:09,239 user and as you probably guessed, 238 00:09:09,240 --> 00:09:11,939 the real name for Message Parmentier 239 00:09:11,940 --> 00:09:13,319 Bingo. 240 00:09:13,320 --> 00:09:16,869 So if you'll send this regular request, 241 00:09:16,870 --> 00:09:19,379 it will be created with a Lynnfield 242 00:09:19,380 --> 00:09:20,639 that will also. 243 00:09:20,640 --> 00:09:22,229 But you'll remember that the list inside 244 00:09:22,230 --> 00:09:25,439 the hash just expands the hash. 245 00:09:25,440 --> 00:09:28,559 So it will send this request 246 00:09:28,560 --> 00:09:30,479 when the real name is a list containing 247 00:09:30,480 --> 00:09:31,559 the string. 248 00:09:31,560 --> 00:09:33,759 Also login name and the bug 249 00:09:33,760 --> 00:09:35,999 Zila and admin at bookseller 250 00:09:36,000 --> 00:09:38,369 dot org then suddenly 251 00:09:38,370 --> 00:09:40,529 will create any and 252 00:09:40,530 --> 00:09:42,839 value pair and could override 253 00:09:42,840 --> 00:09:44,969 the value of login name, even 254 00:09:44,970 --> 00:09:47,399 though it has been already set, thus 255 00:09:47,400 --> 00:09:49,499 controlling the email address. 256 00:09:49,500 --> 00:09:51,779 This vulnerability worked on the Mozilla 257 00:09:51,780 --> 00:09:53,939 Zila and granted US privileges 258 00:09:53,940 --> 00:09:56,879 reserved only for Mozilla employees. 259 00:09:56,880 --> 00:09:58,949 Yet it's a super simple 260 00:09:58,950 --> 00:10:00,539 vulnerability. Thanks. 261 00:10:00,540 --> 00:10:01,540 Thank you. 262 00:10:07,130 --> 00:10:09,649 This is a super simple vulnerability 263 00:10:09,650 --> 00:10:12,289 that's been there for over seven 264 00:10:12,290 --> 00:10:13,759 years. 265 00:10:13,760 --> 00:10:16,069 So let's look at it again. 266 00:10:16,070 --> 00:10:18,140 Lists are fucked up, 267 00:10:19,610 --> 00:10:21,739 but those lists I show thus 268 00:10:21,740 --> 00:10:23,959 far will only be public 269 00:10:23,960 --> 00:10:25,249 hushes, though. 270 00:10:25,250 --> 00:10:27,349 Can't be the only place vulnerable. 271 00:10:27,350 --> 00:10:29,569 Right. So let's 272 00:10:29,570 --> 00:10:31,339 leave hashas aside and take list 273 00:10:31,340 --> 00:10:33,649 expansion Bayville to the next level 274 00:10:33,650 --> 00:10:35,779 so we could really fuck things up 275 00:10:35,780 --> 00:10:37,549 with some bizarre, undisclosed 276 00:10:37,550 --> 00:10:39,340 vulnerabilities, NBA rules. 277 00:10:40,730 --> 00:10:43,309 So this 278 00:10:43,310 --> 00:10:45,439 is the function it takes 279 00:10:45,440 --> 00:10:47,809 for the arguments A, B 280 00:10:47,810 --> 00:10:50,359 and C and just points them 281 00:10:50,360 --> 00:10:52,129 to remember the previous ones. 282 00:10:52,130 --> 00:10:54,199 There are plenty more to come. 283 00:10:54,200 --> 00:10:56,419 So in a regular call with 284 00:10:56,420 --> 00:10:58,699 A, B and C. S values, we expect 285 00:10:58,700 --> 00:11:00,979 A, B and C to be printed out, which 286 00:11:00,980 --> 00:11:02,939 is exactly what happens. 287 00:11:02,940 --> 00:11:05,359 But what happens if instead 288 00:11:05,360 --> 00:11:07,819 of just the string QB will enter 289 00:11:07,820 --> 00:11:10,249 a list containing it? 290 00:11:10,250 --> 00:11:12,319 We expect the second argument 291 00:11:12,320 --> 00:11:14,689 to be inserted into an array 292 00:11:14,690 --> 00:11:16,579 and display that way. 293 00:11:16,580 --> 00:11:18,769 But don't forget, is 294 00:11:18,770 --> 00:11:20,489 that special kid in class that she 295 00:11:20,490 --> 00:11:22,429 dispense whenever something it didn't 296 00:11:22,430 --> 00:11:23,719 expect happens. 297 00:11:23,720 --> 00:11:25,939 Sopel actually takes the single valued 298 00:11:25,940 --> 00:11:28,009 list and treat it as a string in the 299 00:11:28,010 --> 00:11:29,010 second Parlamento. 300 00:11:30,020 --> 00:11:31,020 What? 301 00:11:32,180 --> 00:11:33,889 OK, you know what? 302 00:11:33,890 --> 00:11:35,869 Let's allow this one to slide, after all. 303 00:11:35,870 --> 00:11:37,729 Maybe they'll just expand single value at 304 00:11:37,730 --> 00:11:39,259 least into their single value. 305 00:11:39,260 --> 00:11:41,299 Maybe it makes sense to develop at some 306 00:11:41,300 --> 00:11:42,439 point. 307 00:11:42,440 --> 00:11:44,749 Let's force the list to be a multi 308 00:11:44,750 --> 00:11:46,969 value with B and C. 309 00:11:46,970 --> 00:11:47,959 S element. 310 00:11:47,960 --> 00:11:50,179 So it has to be in any 311 00:11:50,180 --> 00:11:52,009 way expected to to bring this second 312 00:11:52,010 --> 00:11:54,409 argument as an array containing 313 00:11:54,410 --> 00:11:55,939 BNC. Right. 314 00:11:55,940 --> 00:11:58,159 After all. That's exactly 315 00:11:58,160 --> 00:11:59,779 what we've coded. 316 00:11:59,780 --> 00:12:02,269 But again, Sippel says 317 00:12:02,270 --> 00:12:04,519 fuck off and it'll actually treat this 318 00:12:04,520 --> 00:12:06,889 thing B as the second argument 319 00:12:06,890 --> 00:12:09,039 and this thing C, as the theorem. 320 00:12:10,670 --> 00:12:11,670 What? 321 00:12:12,860 --> 00:12:14,959 That's insane. 322 00:12:14,960 --> 00:12:17,179 We actually created another 323 00:12:17,180 --> 00:12:19,369 argument using only 324 00:12:19,370 --> 00:12:20,539 a list. 325 00:12:20,540 --> 00:12:22,189 Look at the syntax. 326 00:12:22,190 --> 00:12:24,409 It's the exact same syntax you 327 00:12:24,410 --> 00:12:26,629 will have used to create a regular 328 00:12:26,630 --> 00:12:27,649 hedgy. 329 00:12:27,650 --> 00:12:29,839 Let's try to defend against this kind 330 00:12:29,840 --> 00:12:31,849 of behavior and how the code. 331 00:12:31,850 --> 00:12:34,159 The third element is the 332 00:12:34,160 --> 00:12:36,529 now can't just ignore 333 00:12:36,530 --> 00:12:38,779 it and it has to treat our at least 334 00:12:38,780 --> 00:12:41,149 affinity with the function argument 335 00:12:41,150 --> 00:12:43,729 as the right. 336 00:12:43,730 --> 00:12:46,039 Well, no. 337 00:12:46,040 --> 00:12:48,499 In reality, Belal overrides 338 00:12:48,500 --> 00:12:49,429 the third argument. 339 00:12:49,430 --> 00:12:52,219 We've how it's coded into the function 340 00:12:52,220 --> 00:12:54,079 with the content inside the list. 341 00:12:54,080 --> 00:12:55,159 What the fuck. 342 00:12:55,160 --> 00:12:56,279 What the fuck, Val? 343 00:13:00,380 --> 00:13:02,569 Bill just expands our safety 344 00:13:02,570 --> 00:13:04,639 bill containing moral arguments for the 345 00:13:04,640 --> 00:13:06,709 function that's completely 346 00:13:06,710 --> 00:13:08,269 mind blowing. 347 00:13:08,270 --> 00:13:10,429 But the bill 348 00:13:10,430 --> 00:13:13,309 documentation says de facto 349 00:13:13,310 --> 00:13:15,409 behavior is not a bug. 350 00:13:15,410 --> 00:13:16,450 It's a feature, 351 00:13:17,990 --> 00:13:18,990 is it? 352 00:13:21,060 --> 00:13:22,060 Thank you. 353 00:13:23,310 --> 00:13:25,829 Let's look at the quote, 354 00:13:25,830 --> 00:13:28,019 DBI is a call module since 355 00:13:28,020 --> 00:13:29,939 1994. 356 00:13:29,940 --> 00:13:31,050 I was born that 357 00:13:32,220 --> 00:13:34,439 it is the most common way 358 00:13:34,440 --> 00:13:36,959 to communicate with databases and almost 359 00:13:36,960 --> 00:13:39,209 everyone uses it to do so. 360 00:13:39,210 --> 00:13:41,369 It has only one function for 361 00:13:41,370 --> 00:13:43,919 defending against escarole injections, 362 00:13:43,920 --> 00:13:46,079 quote, let's see how this 363 00:13:46,080 --> 00:13:47,039 function works. 364 00:13:47,040 --> 00:13:48,959 It will send a regular string the 365 00:13:48,960 --> 00:13:50,639 function to just place it inside the 366 00:13:50,640 --> 00:13:52,049 apostrophes. 367 00:13:52,050 --> 00:13:54,839 But if you're trying to inject something 368 00:13:54,840 --> 00:13:57,209 like this string, quote, will escape 369 00:13:57,210 --> 00:13:58,889 it for us. So it would be safe to use 370 00:13:58,890 --> 00:14:00,299 inside the Coeli. 371 00:14:00,300 --> 00:14:01,529 So let's see. 372 00:14:01,530 --> 00:14:03,419 A regular example for using the function 373 00:14:03,420 --> 00:14:05,939 in this code will call the use of CGI 374 00:14:05,940 --> 00:14:08,609 metal and inserted into our query, 375 00:14:08,610 --> 00:14:10,469 which is the the age variable, the 376 00:14:10,470 --> 00:14:12,809 connection and the CGI variable 377 00:14:12,810 --> 00:14:15,269 CGI instance, if only instead 378 00:14:15,270 --> 00:14:17,339 of a regular user string and regular 379 00:14:17,340 --> 00:14:19,409 query would be printed out. 380 00:14:19,410 --> 00:14:21,539 But if we try to inject an 381 00:14:21,540 --> 00:14:23,759 apostrophe quote, we'll take care of 382 00:14:23,760 --> 00:14:26,099 it and escape it so we can't inject 383 00:14:26,100 --> 00:14:27,249 any malicious ASCII. 384 00:14:27,250 --> 00:14:29,099 Well, looks like you're right. 385 00:14:29,100 --> 00:14:31,109 After all, it's been there for more than 386 00:14:31,110 --> 00:14:32,639 two decades. 387 00:14:32,640 --> 00:14:34,769 Well, I think it's time for 388 00:14:34,770 --> 00:14:35,770 the demo. 389 00:14:36,690 --> 00:14:40,049 So what we have here, 390 00:14:40,050 --> 00:14:41,339 just a sec. 391 00:14:41,340 --> 00:14:42,340 Right. 392 00:14:45,020 --> 00:14:47,419 This is a code I've created, 393 00:14:47,420 --> 00:14:50,009 you can see it magnified, 394 00:14:50,010 --> 00:14:51,010 right? 395 00:14:51,970 --> 00:14:54,249 Does the SEC how can I fucking 396 00:14:54,250 --> 00:14:56,620 magnify something in a little while? 397 00:15:00,060 --> 00:15:02,159 S. Oh, sorry, sorry about 398 00:15:02,160 --> 00:15:03,389 that. 399 00:15:03,390 --> 00:15:04,390 No. 400 00:15:09,240 --> 00:15:11,489 OK, so 401 00:15:11,490 --> 00:15:13,199 do you see the gold, we just keep the 402 00:15:13,200 --> 00:15:15,399 valuables and then connect 403 00:15:15,400 --> 00:15:17,249 to the debris and then put into 404 00:15:18,300 --> 00:15:20,429 that exact same query 405 00:15:20,430 --> 00:15:22,619 we used in our in 406 00:15:22,620 --> 00:15:24,149 the presentation. 407 00:15:24,150 --> 00:15:26,459 So if I open back up for 408 00:15:26,460 --> 00:15:28,649 just a sec, let's see what 409 00:15:28,650 --> 00:15:29,849 it is. 410 00:15:29,850 --> 00:15:30,850 There you go. 411 00:15:33,920 --> 00:15:36,440 Oh, oh, something happened. 412 00:15:37,820 --> 00:15:38,820 Something happened 413 00:15:40,280 --> 00:15:42,679 in Perilla 414 00:15:42,680 --> 00:15:43,659 just might be seen. 415 00:15:43,660 --> 00:15:44,660 No. 416 00:15:45,390 --> 00:15:46,390 Kind of like an. 417 00:15:47,120 --> 00:15:48,320 In Logits. 418 00:15:50,240 --> 00:15:51,240 Nope. 419 00:15:53,040 --> 00:15:56,579 I copied the notepad, so 420 00:15:56,580 --> 00:15:58,739 what I'm sending now is 421 00:15:58,740 --> 00:16:00,059 this request. 422 00:16:00,060 --> 00:16:01,590 OK, look at it. 423 00:16:04,750 --> 00:16:05,750 CNN. 424 00:16:06,340 --> 00:16:08,619 I'm saying this request really user 425 00:16:08,620 --> 00:16:10,529 equals admin, OK? 426 00:16:11,980 --> 00:16:14,079 Now, let's see what the output of that 427 00:16:14,080 --> 00:16:15,819 request will bring us. 428 00:16:15,820 --> 00:16:17,829 So it brought us this. 429 00:16:19,870 --> 00:16:22,239 I can zoom in, zoom, it doesn't work. 430 00:16:22,240 --> 00:16:24,579 I don't know why on Minutos 431 00:16:24,580 --> 00:16:27,589 can can download the fun solely 432 00:16:27,590 --> 00:16:28,709 wait. You know what? 433 00:16:28,710 --> 00:16:29,710 Maybe I can. 434 00:16:30,660 --> 00:16:31,660 Let's see. 435 00:16:34,180 --> 00:16:35,769 Such an intuitive ed. 436 00:16:39,300 --> 00:16:41,549 Skrull, yeah, it doesn't work, it just 437 00:16:41,550 --> 00:16:42,959 goes back to the presentation if I 438 00:16:42,960 --> 00:16:44,579 scored, so. 439 00:16:44,580 --> 00:16:46,239 Oh no it doesn't. 440 00:16:46,240 --> 00:16:47,789 Oh. 441 00:16:49,890 --> 00:16:52,259 Yeah, and 442 00:16:52,260 --> 00:16:54,659 this is how your school so you just 443 00:16:54,660 --> 00:16:56,549 select all formulas as well, username 444 00:16:56,550 --> 00:16:57,959 equals admin, right? 445 00:16:57,960 --> 00:17:00,939 Everything is well and now we'll send 446 00:17:00,940 --> 00:17:02,279 admin apostrophe. 447 00:17:02,280 --> 00:17:04,529 OK, we'll try to inject an apostrophe. 448 00:17:04,530 --> 00:17:07,200 So we got back this 449 00:17:08,280 --> 00:17:09,479 OK. 450 00:17:09,480 --> 00:17:11,578 And apostrophe has been escaped, so 451 00:17:11,579 --> 00:17:13,049 we couldn't inject anything. 452 00:17:13,050 --> 00:17:15,039 And now I'm going to send this request. 453 00:17:15,040 --> 00:17:16,109 I'm going to type it in notepad. 454 00:17:17,300 --> 00:17:19,429 I'm going to send this 455 00:17:19,430 --> 00:17:20,430 request. 456 00:17:23,160 --> 00:17:24,439 And we'll see what happens. 457 00:17:27,810 --> 00:17:28,810 Good luck, Bill. 458 00:17:31,020 --> 00:17:32,699 And this is what came back, 459 00:17:34,020 --> 00:17:36,239 no escaping, this is the by fiscal. 460 00:17:44,000 --> 00:17:45,489 Yeah, that's good. 461 00:17:45,490 --> 00:17:46,870 Inject everything 462 00:17:48,080 --> 00:17:50,539 so back to the presentation. 463 00:17:52,280 --> 00:17:54,589 That happens because 464 00:17:54,590 --> 00:17:57,049 we could bypass escaping because, quote, 465 00:17:57,050 --> 00:17:59,209 thanks, in fact, to arguments 466 00:17:59,210 --> 00:18:01,519 this thing, to quote and it's type 467 00:18:01,520 --> 00:18:03,769 which defaults to string, I 468 00:18:03,770 --> 00:18:05,869 never saw anyone uses that 469 00:18:05,870 --> 00:18:06,889 type of argument. 470 00:18:06,890 --> 00:18:09,019 But if someone did, it's supposed to 471 00:18:09,020 --> 00:18:10,969 help the function decide what to do with 472 00:18:10,970 --> 00:18:13,159 this thing and if 473 00:18:13,160 --> 00:18:15,529 and how it should escape it. 474 00:18:15,530 --> 00:18:17,749 Quote, Does that by matching the type 475 00:18:17,750 --> 00:18:20,299 against several constants declared 476 00:18:20,300 --> 00:18:21,499 in the module. 477 00:18:21,500 --> 00:18:24,169 These constants are actually just numbers 478 00:18:24,170 --> 00:18:26,479 ranging from the number two to the number 479 00:18:26,480 --> 00:18:28,729 eight. So when we've inserted the number 480 00:18:28,730 --> 00:18:30,979 two as the second argument, quote, 481 00:18:30,980 --> 00:18:33,199 thought this thing is actually an 482 00:18:33,200 --> 00:18:35,599 integer and decided to let go and it 483 00:18:35,600 --> 00:18:37,250 is without escaping it. 484 00:18:38,870 --> 00:18:41,569 Now, that is the second 485 00:18:41,570 --> 00:18:42,570 failure. 486 00:18:48,140 --> 00:18:50,239 That is the second failing 487 00:18:50,240 --> 00:18:53,059 dysfunction, and she didn't even validate 488 00:18:53,060 --> 00:18:55,699 we've inserted an actual number, 489 00:18:55,700 --> 00:18:57,230 who is the feature now, bitch? 490 00:18:59,900 --> 00:19:01,579 So you're probably wondering what could 491 00:19:01,580 --> 00:19:02,989 be achieved with all that mind blowing 492 00:19:02,990 --> 00:19:05,089 fucked up? She doesn't bill when we 493 00:19:05,090 --> 00:19:07,369 call bypass authentication and 494 00:19:07,370 --> 00:19:09,589 execute code and upload any file, 495 00:19:09,590 --> 00:19:11,629 would like to think wiki inject this girl 496 00:19:11,630 --> 00:19:13,909 into movable type and 497 00:19:13,910 --> 00:19:16,009 then just a small portion 498 00:19:16,010 --> 00:19:17,959 of what could really be achieved if 499 00:19:17,960 --> 00:19:20,029 someone took the time and effort for 500 00:19:20,030 --> 00:19:21,679 exploiting stuff with it. 501 00:19:21,680 --> 00:19:22,680 By the way, I'm 502 00:19:23,900 --> 00:19:26,209 just saying, for example, 503 00:19:26,210 --> 00:19:28,429 just silts just search 504 00:19:28,430 --> 00:19:30,529 CGI and quote at GitHub. 505 00:19:31,720 --> 00:19:33,849 And consider what you can 506 00:19:33,850 --> 00:19:34,850 do with it. 507 00:19:35,470 --> 00:19:38,299 So let's sum up lists, 508 00:19:38,300 --> 00:19:40,990 al-Hasani, this bizarre expression 509 00:19:42,620 --> 00:19:45,309 is a hazard of this bizarre language. 510 00:19:51,710 --> 00:19:53,779 Now is the time to stop 511 00:19:53,780 --> 00:19:55,559 using it. 512 00:19:55,560 --> 00:19:57,919 Yeah, stop using 513 00:19:57,920 --> 00:19:59,989 it. Stop the night only 514 00:19:59,990 --> 00:20:01,999 God stop. 515 00:20:02,000 --> 00:20:03,109 Yes, but before 516 00:20:04,760 --> 00:20:06,949 he stop them, it's functional and 517 00:20:06,950 --> 00:20:08,599 complicated, Opie. 518 00:20:08,600 --> 00:20:11,029 And most importantly, stop the security 519 00:20:11,030 --> 00:20:13,429 breaches that are all over the place. 520 00:20:13,430 --> 00:20:15,739 And if you do end up writing, Bill, 521 00:20:15,740 --> 00:20:17,449 at least know your goddamn language 522 00:20:17,450 --> 00:20:18,679 features. 523 00:20:18,680 --> 00:20:19,680 Thank you. 524 00:20:25,570 --> 00:20:28,089 Senate agreed to Q&A. 525 00:20:28,090 --> 00:20:30,400 So please line up at the microphones 526 00:20:31,600 --> 00:20:34,059 and for Samuel will take a few questions. 527 00:20:35,640 --> 00:20:36,650 Do you have questions? 528 00:20:38,200 --> 00:20:40,209 The Internet has questions. 529 00:20:40,210 --> 00:20:41,229 Oh, we have a question. 530 00:20:42,640 --> 00:20:43,539 OK. 531 00:20:43,540 --> 00:20:45,849 The Internet has one question right now. 532 00:20:45,850 --> 00:20:48,099 Can you avoid this with proper user 533 00:20:48,100 --> 00:20:50,409 validation and use of strict 534 00:20:50,410 --> 00:20:52,269 and and warnings? 535 00:20:52,270 --> 00:20:53,889 Are you strict? 536 00:20:53,890 --> 00:20:55,419 Doesn't do anything. 537 00:20:55,420 --> 00:20:56,740 In that case. It 538 00:20:58,240 --> 00:21:00,639 just the at least it doesn't 539 00:21:00,640 --> 00:21:02,619 have anything to do with strict. 540 00:21:02,620 --> 00:21:05,379 Um, for the second part, 541 00:21:05,380 --> 00:21:07,869 after we release the Baccelli 542 00:21:07,870 --> 00:21:10,329 vulnerability, the author 543 00:21:10,330 --> 00:21:12,729 of CJP AM released a new vision 544 00:21:12,730 --> 00:21:14,919 for of JPM that 545 00:21:14,920 --> 00:21:17,259 I don't know tries to restrict the use 546 00:21:17,260 --> 00:21:19,719 of this list behavior. 547 00:21:19,720 --> 00:21:21,819 But in reality, all it does 548 00:21:21,820 --> 00:21:23,959 is when you send Multivolume and actually 549 00:21:23,960 --> 00:21:26,229 Parmeter, it just won't 550 00:21:26,230 --> 00:21:27,789 do so. 551 00:21:27,790 --> 00:21:30,219 If I use it, it just warns 552 00:21:30,220 --> 00:21:31,749 me I attacked the system. 553 00:21:31,750 --> 00:21:34,119 So thanks for the info about. 554 00:21:36,750 --> 00:21:39,629 Yeah, microphone, too, 555 00:21:39,630 --> 00:21:41,279 yeah, I'm going to be the one asshole 556 00:21:41,280 --> 00:21:42,720 here who really loves people. 557 00:21:45,030 --> 00:21:46,289 I've been waiting for you. 558 00:21:46,290 --> 00:21:47,420 I've been waiting for you. 559 00:21:48,570 --> 00:21:50,639 Could you go back to the summary 560 00:21:50,640 --> 00:21:51,699 you gave? 561 00:21:51,700 --> 00:21:53,549 What was that of the previous night with 562 00:21:53,550 --> 00:21:55,679 the summary? Yeah, sorry. 563 00:21:55,680 --> 00:21:56,349 Sorry about that. 564 00:21:56,350 --> 00:21:58,499 What you say lists are hazardous 565 00:21:58,500 --> 00:22:00,599 in bizarre expressions, but 566 00:22:00,600 --> 00:22:02,759 what you really need to see is that 567 00:22:02,760 --> 00:22:04,589 Arrison lists are two completely separate 568 00:22:04,590 --> 00:22:06,389 constructs. And if I look at the examples 569 00:22:06,390 --> 00:22:08,429 you gave about using lists and document 570 00:22:08,430 --> 00:22:10,559 calls, it's really 571 00:22:10,560 --> 00:22:12,449 looked like you were really trying for 572 00:22:12,450 --> 00:22:14,459 lists to be patient errors. 573 00:22:14,460 --> 00:22:16,559 I want them to be python errors, but 574 00:22:16,560 --> 00:22:18,149 if you want pipefitter, he's going to use 575 00:22:18,150 --> 00:22:19,150 Python 576 00:22:20,460 --> 00:22:21,460 useful. 577 00:22:22,590 --> 00:22:24,979 So, yeah, I know 578 00:22:24,980 --> 00:22:26,459 it's only an opinion. It's not a really 579 00:22:26,460 --> 00:22:28,709 question. But this what this boils 580 00:22:28,710 --> 00:22:30,749 down is that you have found two functions 581 00:22:30,750 --> 00:22:33,959 that are designed very badly 582 00:22:33,960 --> 00:22:35,669 in, for example, the code that takes the 583 00:22:35,670 --> 00:22:37,589 second argument that shouldn't happen. 584 00:22:37,590 --> 00:22:39,929 Yemen blame the poor. 585 00:22:39,930 --> 00:22:40,979 That's what you guys do, 586 00:22:42,060 --> 00:22:42,759 blame the program. 587 00:22:42,760 --> 00:22:44,849 But no, no, no, no, 588 00:22:44,850 --> 00:22:45,779 no, no, no. 589 00:22:45,780 --> 00:22:46,890 Wait, wait, wait, wait, wait. 590 00:22:48,270 --> 00:22:49,739 For a serious tone. 591 00:22:49,740 --> 00:22:51,809 Like, why do we even have 592 00:22:51,810 --> 00:22:53,369 lists if you already have? 593 00:22:54,600 --> 00:22:56,369 What's the point of lists? 594 00:22:56,370 --> 00:22:59,159 You know, the what 595 00:22:59,160 --> 00:23:01,319 you can assign them to do and you can 596 00:23:01,320 --> 00:23:02,759 assign them to an area. 597 00:23:02,760 --> 00:23:03,809 They are not a data type. 598 00:23:03,810 --> 00:23:05,339 They are expressions. 599 00:23:05,340 --> 00:23:07,949 We have them from the first place. 600 00:23:07,950 --> 00:23:10,499 You know, I don't know. 601 00:23:10,500 --> 00:23:12,690 Firstly, four, five. 602 00:23:13,950 --> 00:23:16,109 First of all, thank you for the talk 603 00:23:16,110 --> 00:23:18,989 is to entertaining 604 00:23:18,990 --> 00:23:20,740 and I'm glad to. 605 00:23:22,620 --> 00:23:24,689 Do you have any idea why it 606 00:23:24,690 --> 00:23:27,179 took so long for somebody to actually 607 00:23:27,180 --> 00:23:28,180 notice this? 608 00:23:32,120 --> 00:23:33,920 I don't know, I don't know. 609 00:23:36,470 --> 00:23:37,520 Because it's what? 610 00:23:40,290 --> 00:23:42,539 Right, probably, 611 00:23:42,540 --> 00:23:43,540 probably. 612 00:23:46,010 --> 00:23:48,139 Microphone three, yeah, 613 00:23:48,140 --> 00:23:50,240 thanks for the awesome talk. 614 00:23:51,590 --> 00:23:53,689 Long time no pass, so 615 00:23:53,690 --> 00:23:55,549 I don't know if it's a stupid question, 616 00:23:55,550 --> 00:23:57,799 but your 617 00:23:57,800 --> 00:24:00,509 code, there was no warning enabled, 618 00:24:00,510 --> 00:24:02,659 no use. Does this change anything? 619 00:24:02,660 --> 00:24:03,709 I was wondering. 620 00:24:03,710 --> 00:24:05,119 It doesn't change anything. 621 00:24:05,120 --> 00:24:07,249 And warnings just warns, you 622 00:24:07,250 --> 00:24:09,259 know, when you program it, like when you 623 00:24:09,260 --> 00:24:11,629 program an application and boogum 624 00:24:11,630 --> 00:24:14,569 it use a single valued parameter, 625 00:24:14,570 --> 00:24:16,399 it doesn't do anything. 626 00:24:16,400 --> 00:24:18,469 But it actually warns you because 627 00:24:18,470 --> 00:24:22,009 I when I first learned parleys, 628 00:24:22,010 --> 00:24:22,969 use warnings. 629 00:24:22,970 --> 00:24:24,559 And if there's a single warning, you have 630 00:24:24,560 --> 00:24:25,560 a huge problem. 631 00:24:26,770 --> 00:24:29,019 A warning is that you can I 632 00:24:29,020 --> 00:24:31,269 can now enable warnings and the safe 633 00:24:31,270 --> 00:24:32,969 will work just fine. 634 00:24:32,970 --> 00:24:34,929 If showed previously, do you want me to. 635 00:24:34,930 --> 00:24:36,109 No, no, I believe you. 636 00:24:36,110 --> 00:24:37,149 I was just wondering. 637 00:24:37,150 --> 00:24:38,259 OK, ok. 638 00:24:38,260 --> 00:24:40,119 OK, because I can. 639 00:24:40,120 --> 00:24:41,829 Thanks again. No probs. 640 00:24:41,830 --> 00:24:44,349 Internet ok. 641 00:24:44,350 --> 00:24:46,359 One other question from the Internet. 642 00:24:46,360 --> 00:24:48,579 How to avoid or fix these errors in 643 00:24:48,580 --> 00:24:50,829 applications already written in Perl. 644 00:24:50,830 --> 00:24:52,989 So in order to avoid 645 00:24:52,990 --> 00:24:55,659 this stuff, 646 00:24:55,660 --> 00:24:57,789 you actually have to 647 00:24:57,790 --> 00:24:59,889 treat every CGI parameter as a 648 00:24:59,890 --> 00:25:02,739 scholar if you actually intend to 649 00:25:02,740 --> 00:25:04,269 use it as a scholar. 650 00:25:04,270 --> 00:25:06,159 Like if you don't want to if you want to 651 00:25:06,160 --> 00:25:08,259 pass an error into a function 652 00:25:08,260 --> 00:25:10,929 or a hash and that the hash 653 00:25:10,930 --> 00:25:13,689 will actually treat it as another error, 654 00:25:13,690 --> 00:25:16,809 you have to backslash the reference 655 00:25:16,810 --> 00:25:18,069 to that list. 656 00:25:18,070 --> 00:25:20,499 You have to backslash a variable. 657 00:25:20,500 --> 00:25:23,129 So that's how you overcome that. 658 00:25:23,130 --> 00:25:24,130 I'll discuss it. This is. 659 00:25:25,630 --> 00:25:26,709 Microphone, for 660 00:25:27,910 --> 00:25:30,219 the example, with GBI, I 661 00:25:30,220 --> 00:25:32,529 use the manual, quote, function, 662 00:25:32,530 --> 00:25:34,749 I usually use prepared statements, 663 00:25:34,750 --> 00:25:37,239 have it checked if that's safe 664 00:25:37,240 --> 00:25:39,249 or is in there as well prepared 665 00:25:39,250 --> 00:25:41,409 statements, I'll say if I did check them. 666 00:25:41,410 --> 00:25:43,629 But you can inject 667 00:25:43,630 --> 00:25:44,559 more values. 668 00:25:44,560 --> 00:25:46,839 The propelled statement as 669 00:25:46,840 --> 00:25:48,939 a result from this, you can inject 670 00:25:48,940 --> 00:25:51,249 anything into any function if you're 671 00:25:51,250 --> 00:25:52,479 inserted into a list. 672 00:25:52,480 --> 00:25:54,669 Once you gained an 673 00:25:54,670 --> 00:25:57,099 argument that that it's at least 674 00:25:57,100 --> 00:25:59,409 you control you control every other 675 00:25:59,410 --> 00:26:01,779 argument in the function that follows it. 676 00:26:01,780 --> 00:26:03,670 You understand, right? 677 00:26:05,250 --> 00:26:07,469 Microphone five, yeah, I just 678 00:26:07,470 --> 00:26:08,729 want to ask you if you know what 679 00:26:08,730 --> 00:26:10,829 references are and if you read the 680 00:26:10,830 --> 00:26:13,649 document page, then you should know 681 00:26:13,650 --> 00:26:16,079 that you use prepare 682 00:26:16,080 --> 00:26:17,609 those like three fettling through the. 683 00:26:19,050 --> 00:26:20,050 Yeah, 684 00:26:22,200 --> 00:26:24,519 yeah, I, I did read 685 00:26:24,520 --> 00:26:26,789 that the manual for the debate. 686 00:26:26,790 --> 00:26:28,769 This is obviously bad programing. 687 00:26:28,770 --> 00:26:30,450 Right. But again, blame the problem. 688 00:26:32,270 --> 00:26:33,749 It's that basic. 689 00:26:33,750 --> 00:26:35,279 You can say anything you want about the 690 00:26:35,280 --> 00:26:37,469 reference and the 691 00:26:37,470 --> 00:26:40,229 language isn't supposed to work that way. 692 00:26:40,230 --> 00:26:42,719 But you know, if we're looking at 693 00:26:42,720 --> 00:26:44,699 it logically, it does. 694 00:26:44,700 --> 00:26:46,170 It does supposed to work that way. 695 00:26:47,180 --> 00:26:49,069 I don't think so, it's documented 696 00:26:49,070 --> 00:26:50,079 learning, Pearl. 697 00:26:50,080 --> 00:26:51,080 Yes, 698 00:26:53,010 --> 00:26:55,069 it DBI is in the 699 00:26:55,070 --> 00:26:56,569 first chapter. 700 00:26:56,570 --> 00:26:57,570 Sure thing. 701 00:26:58,270 --> 00:26:59,569 OK, nice to know. 702 00:26:59,570 --> 00:27:00,570 Microdata. 703 00:27:02,000 --> 00:27:04,159 Yeah, this is a microphone 704 00:27:04,160 --> 00:27:06,350 to address can can repeat 705 00:27:07,580 --> 00:27:09,649 it. Flattening lists 706 00:27:09,650 --> 00:27:12,199 and arguments and references, passing 707 00:27:12,200 --> 00:27:14,899 reference. It's basic documentation, 708 00:27:14,900 --> 00:27:16,279 it's basic design of the language. 709 00:27:16,280 --> 00:27:18,259 So not no problem. 710 00:27:18,260 --> 00:27:20,509 The reference thing is 711 00:27:20,510 --> 00:27:21,709 completely fine. 712 00:27:21,710 --> 00:27:23,749 But the problem is in the CGI, you 713 00:27:23,750 --> 00:27:25,879 understand it when you get I completely 714 00:27:25,880 --> 00:27:28,039 agree that the two modules, the, 715 00:27:28,040 --> 00:27:30,109 the box you found, those are bad. 716 00:27:30,110 --> 00:27:32,029 I blame the programmers of those modules. 717 00:27:32,030 --> 00:27:33,049 Yes, exactly. 718 00:27:33,050 --> 00:27:34,099 Exactly. 719 00:27:34,100 --> 00:27:35,309 Exactly. 720 00:27:35,310 --> 00:27:36,229 That's the point. 721 00:27:36,230 --> 00:27:37,459 That's the point. That's not good 722 00:27:37,460 --> 00:27:39,739 programing. That's bad programing that 723 00:27:39,740 --> 00:27:42,119 everyone does, you know, 724 00:27:42,120 --> 00:27:43,120 unless you like 725 00:27:44,310 --> 00:27:46,399 in two entities, not even 726 00:27:46,400 --> 00:27:48,109 if you're programing. Twenty percent. 727 00:27:48,110 --> 00:27:49,969 That's still worked on bookseller. 728 00:27:49,970 --> 00:27:51,949 They maintained it for, like, I don't 729 00:27:51,950 --> 00:27:53,539 know, two thousand ninety eight, 730 00:27:53,540 --> 00:27:55,489 something like that. And they still 731 00:27:55,490 --> 00:27:57,649 haven't figured out yet that 732 00:27:57,650 --> 00:27:59,240 this is what CGI does. 733 00:28:01,320 --> 00:28:04,049 There's one last question on all three, 734 00:28:04,050 --> 00:28:06,299 so my impression of what's going on here 735 00:28:06,300 --> 00:28:08,399 is that basically 736 00:28:08,400 --> 00:28:09,899 you have a weird type of value that 737 00:28:09,900 --> 00:28:11,639 allows you to mess with the structure of 738 00:28:11,640 --> 00:28:13,199 a syntax tree at runtime. 739 00:28:13,200 --> 00:28:14,729 Are you aware of any other languages that 740 00:28:14,730 --> 00:28:15,749 do that? 741 00:28:15,750 --> 00:28:17,969 Because if there are, it's very 742 00:28:17,970 --> 00:28:18,959 likely that they're going to be 743 00:28:18,960 --> 00:28:20,639 exploitable in a very similar fashion 744 00:28:20,640 --> 00:28:22,210 because nobody is going to understand 745 00:28:23,260 --> 00:28:25,499 this is if there are more 746 00:28:25,500 --> 00:28:27,569 languages, I give 747 00:28:27,570 --> 00:28:28,920 more presentation, I guess. 748 00:28:31,740 --> 00:28:33,839 Sorry, man, I don't know if anyone 749 00:28:33,840 --> 00:28:34,840 any. 750 00:28:37,240 --> 00:28:39,579 So thanks, Nathaniel, 751 00:28:39,580 --> 00:28:41,379 no problem. Thank you. 752 00:28:41,380 --> 00:28:42,380 Thank you all.