TIL #1: XML Bombs, HTTP Strict Transport Security & More.
• TIL •This year I decided to write more. As part of keeping a writing habit, I thought it’d be beneficial to document things I learn and write monthly blog posts about them.
I came up with this idea of mindfully noting down new knowledge to keep track of my path or remember things I learn better.
The post you’re reading now is the very first of more to come. I call this kind of posts “MOTILs” – Month of TILs. MOTILs is the best name I came up with; it doesn’t matter what I call it. What matters is, writing consistently until the end of the year.
Without further ado, here’s some stuff I learned in January 2021.
Subresource Integrity Checks
Very often, we depend on third-party code. If an attacker breaches the source of the third-party code we import, they can cause harm.
Assuming we import some JavaScript from a Content Delivery Network (CDN) and that CDN is hacked, the attacker and affix the JavaScript we import from the CDN with malicious code. Innocent users become vulnerable. Subresource Integrity (SRI) is one way to mitigate attacks through third-party code.
Taking advantage of this security feature involves just a handful of steps:
- Get a cryptographic hash (digest) of the resource you’re importing.
- Embed the resource with an
integrity
attribute containing the hash of the resource.
For the first step, you can leverage openssl
to generate the hash of the imported resource like so:
cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 -A
In the second step, you embed it. Your code could then look like this:
<script src='some_url'
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC"
crossorigin="anonymous">
</script>
There’s a handy site that generates SRI hashes.
HTTP Strict Transport Security
A lot of sites redirect an HTTP connection to HTTPS. When a web browser visits a site it has seen before and gets a cookie from a server through HTTP, the browser attaches cookies on subsequent requests to the server through HTTP. Man-in-the-middle attacks can occur in the initial HTTP connection.
The HTTP Strict Transport Security policy instructs browsers to send cookies only over HTTPS. We can do this by setting the Strict-Transport-Security
header in responses from the server on Nginx for example, by setting.
server {
add_header Strict-Transport-Security "max-age=3153600" always;
}
The Doorway Effect
You know the feeling when you enter a room, and you forget why you got in? It’s happened to me countless times. When this happens, there’s one thing I do to remember what I went to that room for, and that is to get back out of the room, wait a few seconds then I remember what I was after. Well, it turns out there’s a name for it. It’s called the Doorway Effect.
Psychologists believe that passing through a doorway and entering a different room creates a ‘mental block’ in the brain, which means that walking through open doors resets the memory to make room for the creation of a new episode. This is generally referred to as the doorway effect.
You’re welcome.
Check-In Last Minute On Flights
I can’t count how many times I’ve paid extra to secure the seat I want on a flight. I learned that:
When checking-in online many airlines ‘randomly’ allocate passenger seats, with the middle seats often assigned first so that passengers are tempted to pay extra to change their seat! - Peter Duffy
This makes sense to me. I will try this after the pandemic is over. Ha!
Code Animation in Keynote
Apple’s Keynote app is compelling. It seems less so if you don’t know how to use it or what to do with it. I learned how to animate code in Keynote. I spent about thirty minutes Googling and two hours of practice to get the hang of animating in Keynote.
Here’s one of the animations I produced using Keynote.
Writing yet another article on method_missing, got caught in animating instead of actually writing but here's why you should make it a habit of defining respond_to_missing? anytime you overwrite method_missing. I'll share the article after the battle with procrastination is won. pic.twitter.com/28tR74AACe
— Emmanuel Hayford (@siaw23) January 11, 2021
Fancy slide animations like this can be an effective way of teaching. I’m content I learned this.
XML Bombs Or Billion Laughs Attack
These days JSON and YAML have taken over what XML was the go-to for decades ago. Only a few machines use XML to encode data now. The decline in XML’s popularity for data encoding or configuration doesn’t mean web servers stopped parsing it.
All web servers parse XML, which means there’s an attack vector to mitigate.
There are two main ways of describing XML structure:
- Document Type Definition (DTD)
- XML Schema Definition (XSD)
XSD is more modern and expressive and describes a broader set of XML documents. I checked which of these two Nokogiri uses and didn’t see any DTD trace; this is good because DTD-based parsers may be vulnerable to XML bombs.
XML Bombs use inline DTDs to blow the memory usage of an XML parser up to crash servers.
Facebook Grasping At Straws
I learned about Facebook’s efforts to stay relevant by providing “free internet” in developing countries.
Perhaps they don’t want to die out like MySpace or Hi5. Facebook has already saturated getting new members in developed countries, and now they want to keep afloat by gaining new users, which equates to more data to target for ads.
They still have some juice in the tank for some time. No one knows for how long though.
One of the best things I did for myself in 2020 was to quit Facebook. Privacy issues aside, I honestly don’t find any value in Facebook.
That’s it for January 2021.