As someone who is a complete novice, and is trying to learn about how to make websites, Tom Scott has made me terribly afraid of screwing something up and having a massive security hole.
The funniest thing about your videos is when you talk as if you were the server, interpreter, code or whatever! It would be funny as hell if that was the case, imagine trying to do something malicious, and having the server respond "Well, that's wrong. I'm not having that." in Tom's voice!
After just graduating with a Bachelor of Computer Science, I can safely say I would have loved to have this guy as a lecturer; he explains things simply, clearly, interestingly and correctly! I'd like to say a big thanks to the Tom and the Computerphile team for spending their time and effort to make these great videos!
Tom Scott is quickly becoming one of my favourite people on the internet. He's the kind of person i'd have wanted to be best friends with if we'd been kids at the same time and place
I remember 6 years ago (I was 12), I'd mess around with chat rooms for fun. Of course, doing so itself was stupid, but it taught me about modifying post-actions and functions, and also about proper security in how users interact with websites. Basically, I had a plugin that let me edit post data before it was sent to the site. I'd mess around with the chat a few times, see what values changed in the post data, and then figured out what separate parts and values in the data were for. Eventually, I figured out how to modify the sessionID to be the same as other users, so that I didn't have to be in the chat to play around with it. I also learned how to mess with chat servers screen-name authentication, and to modify my screen-name when I was in the chat. Worst-yet, I learned how to modify user-permissions and mess around with the admin-panel login page so that the chat server thought I was an authentic admin that logged in through the admin-panel and let me use admin operations. Of course, at the time I used it for immature things, but I eventually started thinking of ways for how the website could have avoided those problems. That sort of thinking helped inspire me to think in-depth about security in my programming projects.
suit1337 Yes, I know about these issues. I think most of the developers out there enjoy these videos regardless of what they know about the subject. And there is always a chance of learning something new.
suit1337 You do know that web developers can be new to web development right? We don't live in the age where the only way to learn something is through a proper school. You could easily start your web development very small time on your own and be unaware of the basic security flaws...
I'm aware of that - and that is a shocking development in this business. Take another work field for example: someone could not easily start a business as an electrician without proper education - but you can start as a web developer. there are lots of fools around here with no clue, even in the basic properties of the business but they make shitloads of money with their crap that really fills me, doing proper work, with anger --- just an example from my country (austria) - the website of our ex financial minister was priced at 220.000 Euro the website of the agricultural ministry cost about 5,5 Million Euros and those websites are not even closely done properly and get defaced over and over again - instead of blaming the stupid overpriced web developers with no proper education they blame the "bad hackers" a few weeks ago our interior ministry presented a new 100 % hackerproof "student licence" - it was hacked only 3 days after via a very simple SQL injection i hope you understand, that it disturbs me, that every moron with no education can start a new 1 man web agency and start coding with no education in the field at all.
suit1337 I understand this, it's true of anyone who takes pride in their work. It's not really that shocking though. This is true of any business until government steps in to regulate it. I think the true problem lies in the fact that Web Development is an all encompassing term even though it has several aspects: Design, Functionality, Reliability, Marketability, and, of course, Security. From what I've seen most people think these are the same, though many have started to separate design.
These are some of my favorite vids on computerphile! Security issues affect everyone and we need more clear explanations. I'd love for Tom to tackle jailbreaking.
This video inspired me to try to "steal" my CSRF token (as if I was trying to hack my own account). I the process I reinvented cross-origin HTTP requests and clickjacking. Turns out both this attacks are well-known and defended against.
Just wanting to let you guys not know that you are doing a great job I love watching your videos and always get excited when I see that you posted another one. I'm 16 years old and enjoy programming but thoose videos add another point of view to it and really get you thinking Greetings from Germany
Oh wow. It's funny seeing people writing about how they implemented a 'nonse'. If only they they knew. This was a great video! Tom is always so enthusiastic, it's great! One request would be making the felt tipped pen sound quieter/non existent. It makes my toes curl!
It's good having an episode of computerphile, mainly because the intricate and important details in computer are _so complicated_ even though I (thought) that I knew about computers. This kinda gives me a foundation. Also you should probably talk about logic gates, whether it's minecraft or whatnot, they explain how you could have to light switches for one light
Holy crap! While I have enjoyed these videos since the start of computerphile, this is the first time I directly learned, or more rightly, realized something. I do have webpages that are badly coded like this. Time to go off and fix!
The tale in the beginning about POST and GET requests is a bit of an ideal case too. Many sites actually work just as well if instead of a GET request you make a POST request with the same content, or vice versa.
these videos jus seem to come right after i've implemented something for a project in my courses ... Thank you for informing me of these things, heavens knows I'll need them in the field
This is indeed a big security hole. I did not know what CSRF did before so I couldn't apply a patch to my site. I can now though. Thanks Tom/Numberphile. Nicely explained :)
Here's one consideration on how important it is to validate user input on the server side. Take any disabled html element. Open up firebug console and run some javascript, eg. using jQuery syntax: $('input').removeAttr('disabled'); $('input').removeAttr('readonly');. Then happily make any changes to the input elements and submit the changes.
The easiest way to get around most of these: Use a solid framework which helps prevent all these attack types. Take Ruby on Rails for example. While not perfect, the latest version is pretty good at avoiding SQL injection, XSS, and CSRF, along with other built in things, like secure cookies, and proper storage of passwords... with a framework doing most of the basic stuff, it's up to the developer not to do anything stupid.
Can't i just load the other form in an invisible Iframe and then parse and search through the html retrieved? Use the token info and create my own form.
It's also a good idea to add the action to the seed which generates the nonce, so the nonce to post a comment is different from the one which allows you to delete your account. If you combine that with the username and set a short timeout the users needs to have been on the form which does the action, somehow you need to be able to steal that nonce and get them to go to your infected page. It's basically no longer a security issue in that case. When someone loads a form they usually intend to fill it out and you could even track when they leave the form to immediately invalidate the nonce.
I have heard about this before, but there's a simple way around it. The problem with it is that the same malicious form on the unrelated blog can still submit a page request on the target site and grab the token before submitting to the page that actually does the damage. All it takes is a little bit of PHP knowledge, some knowledge of HTTP request headers, and a little ingenuity. Still, it's good to know how and why to do this.
I've been looking for a video that I can send to my non-techie friends to give them slight idea about XSRF. This video is what I've seen so far that's lay-man friendly.
Learning about this sort of thing really helps me understand *why* we covered all that stuff in Security class. At first glance it's like "oh jeez, look at all these layers upon layers of authentication, authorization, validation, validation-of-the-validation..." but these sorts of clever attacks are why. I didn't even know this sort of thing was possible.
Great Video. As a novice web developer these videos help immensely. Keep them coming. A video on how to design a site which can be logged into securely would be very helpful.
And here's the third one... Tom great as always. By the way, with Django framework the way to prevent it is as simple and comfortable as adding {% csrf_token %} inside the form tag =).
Awesome...never even thought of such security issue...I think chrome's sandboxing of the tabs won't help here coz I have seen the sessions and cookies are shared across tabs....Keep it coming - love the videos
You can easily get around the random number thing just by making a PHP request to the site and grabbing that form element and inserting it right into your page! Then the random token will be correct everytime because the data is coming directly from the server.
I simply love all the Tom's videos, very well explained. Keep going with the good content, Mr. Red T-shirt haha - I don't know if it is intentional or not, so I don't want to be a jerk. :p.
Awesome Video, Systems security is to my mind the best subject to do videos on, keep doing that, this is very interesting, very useful ! Keep UP that good work
I get the concept of the token, but how does the server know if a token is valid once it gets the request? Since the web is stateless, it creates the form with a random token, then sends it on its way. So how does the server know if a token it gets back is valid? Store valid tokens in memory or a database?
Ya know, if accepting request from other website would work, then the form would likely be accessible by javascript running from the other website as well. Which means, my javascript could request the form, look for that random string of characters (fairly easily too) and add it to its spoofed request, meaning we would be back to square one.
The real trouble with referers is they're user controlled meaning can be spoofed which is why injecting cryptographic checksum/tokens is the only way. This is much better than your SQL injection video. Too high level for me, but good explanation for the laymen.
Couldn't you get around the one-time key thing by creating a hidden/tiny/offscreen (i)frame for the ‘transfer money’ form on the bank website, and then use JavaScript to automatically submit the form?
Speaking of account deletion, it's even safer to create a token and *not* return it directly to the user, but send an e-mail containing a link with this token.
Being able to create your own version of a form a send that is a problem in general, as you could also strip out any checks in the original form you don't like.
cross-site scripting is blocked in browsers as a simple example, say i have a site with a bunch of livestream embeds, and i set up a script that when i press F2, it scrolls to my favourite one As soon as i click inside any of the streams, say the play button.., F2 won't work and it'll continue to not work until i click outside again, giving focus back to my own page The only way they can load the bank would be to actually load the bank visibly to you, because you're the only one that can interact with it.. the scripts can't..., not theirs anyway
I think that what you are saying is incorrect, i have done some coding with AJAX(Asynchronous JavaScript and XML) and it didn't need to be visible to be able to load. and almost every page on the internet gets data from other sites invisible(i once had a chrome extension that showed which site you visited and where they took data from, an average site connected to more than 20 different websites(like for tracking: google analytic)
oh do you mean, that even for the request of the forum not only the submission needs to be accompany by the token? That would make more sense and would solve that problem, thanks
Tom, I'm never going to your blog, that's for sure now.
"But since then, it's got a bit more complicated"
-Tom Scott, 2013, describing the internet and the history of the universe in one sentence.
As someone who is a complete novice, and is trying to learn about how to make websites, Tom Scott has made me terribly afraid of screwing something up and having a massive security hole.
I love how passionate Tom is about this. You can really see it in his face and hear it in his voice.
The funniest thing about your videos is when you talk as if you were the server, interpreter, code or whatever! It would be funny as hell if that was the case, imagine trying to do something malicious, and having the server respond "Well, that's wrong. I'm not having that." in Tom's voice!
After just graduating with a Bachelor of Computer Science, I can safely say I would have loved to have this guy as a lecturer; he explains things simply, clearly, interestingly and correctly! I'd like to say a big thanks to the Tom and the Computerphile team for spending their time and effort to make these great videos!
"My hand has lower ambitions than my brain does"
Yeaaah I know the feel...
Please, don't ever stop making these.
Tom Scott is quickly becoming one of my favourite people on the internet. He's the kind of person i'd have wanted to be best friends with if we'd been kids at the same time and place
These Tom Scott videos are so addictive, I can't stop watching! xD
Tom is probably my favorite person on this channel. I just love the way he talks and I love the topics he has.
I remember 6 years ago (I was 12), I'd mess around with chat rooms for fun. Of course, doing so itself was stupid, but it taught me about modifying post-actions and functions, and also about proper security in how users interact with websites.
Basically, I had a plugin that let me edit post data before it was sent to the site. I'd mess around with the chat a few times, see what values changed in the post data, and then figured out what separate parts and values in the data were for. Eventually, I figured out how to modify the sessionID to be the same as other users, so that I didn't have to be in the chat to play around with it. I also learned how to mess with chat servers screen-name authentication, and to modify my screen-name when I was in the chat. Worst-yet, I learned how to modify user-permissions and mess around with the admin-panel login page so that the chat server thought I was an authentic admin that logged in through the admin-panel and let me use admin operations.
Of course, at the time I used it for immature things, but I eventually started thinking of ways for how the website could have avoided those problems. That sort of thinking helped inspire me to think in-depth about security in my programming projects.
Being a web-developer I highly enjoy this series. Tom really knows what he is talking about, and I just love the enthusiasm.
it disturbs me, that you're a web-developer and enjoy this :) you should already know all these issues
suit1337 Yes, I know about these issues. I think most of the developers out there enjoy these videos regardless of what they know about the subject. And there is always a chance of learning something new.
suit1337 You do know that web developers can be new to web development right? We don't live in the age where the only way to learn something is through a proper school. You could easily start your web development very small time on your own and be unaware of the basic security flaws...
I'm aware of that - and that is a shocking development in this business. Take another work field for example: someone could not easily start a business as an electrician without proper education - but you can start as a web developer.
there are lots of fools around here with no clue, even in the basic properties of the business but they make shitloads of money with their crap
that really fills me, doing proper work, with anger
---
just an example from my country (austria)
- the website of our ex financial minister was priced at 220.000 Euro
the website of the agricultural ministry cost about 5,5 Million Euros
and those websites are not even closely done properly and get defaced over and over again - instead of blaming the stupid overpriced web developers with no proper education they blame the "bad hackers"
a few weeks ago our interior ministry presented a new 100 % hackerproof "student licence" - it was hacked only 3 days after via a very simple SQL injection
i hope you understand, that it disturbs me, that every moron with no education can start a new 1 man web agency and start coding with no education in the field at all.
suit1337 I understand this, it's true of anyone who takes pride in their work. It's not really that shocking though. This is true of any business until government steps in to regulate it.
I think the true problem lies in the fact that Web Development is an all encompassing term even though it has several aspects: Design, Functionality, Reliability, Marketability, and, of course, Security. From what I've seen most people think these are the same, though many have started to separate design.
Got an exam on this tomorrow, this was so helpful for me, thanks! The way you explain things makes them easily accessible
These are some of my favorite vids on computerphile! Security issues affect everyone and we need more clear explanations. I'd love for Tom to tackle jailbreaking.
This video inspired me to try to "steal" my CSRF token (as if I was trying to hack my own account). I the process I reinvented cross-origin HTTP requests and clickjacking. Turns out both this attacks are well-known and defended against.
Just wanting to let you guys not know that you are doing a great job I love watching your videos and always get excited when I see that you posted another one.
I'm 16 years old and enjoy programming but thoose videos add another point of view to it and really get you thinking
Greetings from Germany
You'd be surprised how many web devs don't know about this in 2023
Oh wow. It's funny seeing people writing about how they implemented a 'nonse'. If only they they knew. This was a great video! Tom is always so enthusiastic, it's great! One request would be making the felt tipped pen sound quieter/non existent. It makes my toes curl!
Word! That is even worse in Numberphile.
It's good having an episode of computerphile, mainly because the intricate and important details in computer are _so complicated_ even though I (thought) that I knew about computers. This kinda gives me a foundation.
Also you should probably talk about logic gates, whether it's minecraft or whatnot, they explain how you could have to light switches for one light
These are awesome. This guy makes Computerphile the channel I look forward to. More of him.
I know little about IT or programming, but your videos are always very informative and easy to understand, so thanks!
Holy crap! While I have enjoyed these videos since the start of computerphile, this is the first time I directly learned, or more rightly, realized something. I do have webpages that are badly coded like this. Time to go off and fix!
This guy is an excellent presenter. Please, more of him.
Great and informative video as always. Loving the amount of Tom on this channel.
I always wondered how Wordpress' nonce hash works. Thanks for the enlightenment!
This was really interesting. I was aware of cross-site-scripting and sql Injection but I had never heard of this. Thanks :)
The tale in the beginning about POST and GET requests is a bit of an ideal case too. Many sites actually work just as well if instead of a GET request you make a POST request with the same content, or vice versa.
these videos jus seem to come right after i've implemented something for a project in my courses ... Thank you for informing me of these things, heavens knows I'll need them in the field
Ironically I saw "nonce" today in a code and I thought someone didn't follow code standard for nOnce or n_once. Now I know what they meant.
Great, now i've got to rewrite the project i'm working on. I didn't know about this and it's so obvious. Good video!
If you have to rewrite a project to protect against CSRF attacks you are doing other things wrong as well
Rewrite? That sounds a bit like overkill. Just add a nonce token and you're as good as you'll get.
Tom, You are the best. Keep making those excellent videos.
This is great! :D I love the way Tom explains advanced terms in really simple ideas
This is indeed a big security hole. I did not know what CSRF did before so I couldn't apply a patch to my site. I can now though. Thanks Tom/Numberphile. Nicely explained :)
Very informative and explained in a simple and understandable manner. That's why Tom is my favorite, though I enjoy watching the others, too!
Here's one consideration on how important it is to validate user input on the server side. Take any disabled html element. Open up firebug console and run some javascript, eg. using jQuery syntax: $('input').removeAttr('disabled'); $('input').removeAttr('readonly');. Then happily make any changes to the input elements and submit the changes.
This channel is absolutely amazing!
Thank you Dawson from Dawson's Creek!
still relevant even nowadays how beautiful
The easiest way to get around most of these: Use a solid framework which helps prevent all these attack types. Take Ruby on Rails for example. While not perfect, the latest version is pretty good at avoiding SQL injection, XSS, and CSRF, along with other built in things, like secure cookies, and proper storage of passwords... with a framework doing most of the basic stuff, it's up to the developer not to do anything stupid.
This mini series on security is just wonderfull. Love the content, love the voice, it's just great.
Can't i just load the other form in an invisible Iframe and then parse and search through the html retrieved? Use the token info and create my own form.
Great explanation, I did know this sort of attack existed but had never given much thought about how to mitigate it.
this still goes under the radar 10y later btw
It's also a good idea to add the action to the seed which generates the nonce, so the nonce to post a comment is different from the one which allows you to delete your account. If you combine that with the username and set a short timeout the users needs to have been on the form which does the action, somehow you need to be able to steal that nonce and get them to go to your infected page. It's basically no longer a security issue in that case. When someone loads a form they usually intend to fill it out and you could even track when they leave the form to immediately invalidate the nonce.
Excellent description of XSRF. Thank you. I understand the concept and defenses now.
Best quality of explaining anything ever possible!! Thanks A TONNN!
I've just watched the video, it was really helpful on my course! Thanks! 🙂
Thanks for helping me learn the valuable lesson of what a 'nonce' is in UK.
Nice video ! I already heard about it but I didn't understood everything, so you've made the web a safer place !
I have heard about this before, but there's a simple way around it. The problem with it is that the same malicious form on the unrelated blog can still submit a page request on the target site and grab the token before submitting to the page that actually does the damage. All it takes is a little bit of PHP knowledge, some knowledge of HTTP request headers, and a little ingenuity. Still, it's good to know how and why to do this.
What a great tutor, very well explained!
I've been looking for a video that I can send to my non-techie friends to give them slight idea about XSRF. This video is what I've seen so far that's lay-man friendly.
I'm a web developer and I didn't know the solution. Thank you very much.
Learning about this sort of thing really helps me understand *why* we covered all that stuff in Security class. At first glance it's like "oh jeez, look at all these layers upon layers of authentication, authorization, validation, validation-of-the-validation..." but these sorts of clever attacks are why. I didn't even know this sort of thing was possible.
This guy is amazing! More videos by him please!
Awesome video,great help.
I'm always waiting for your new videos .
Very helpful. I liked both the content and the way you described the CSRF. Thanks!!
Actually learned this now by the video. Quite interesting and will eb sure to include this in serious projects in the future.
Damn. Your /delete?confirm=true statement was a 100% hit. Gotta rename my parameters ;D
Great Video. As a novice web developer these videos help immensely. Keep them coming. A video on how to design a site which can be logged into securely would be very helpful.
Tom is good, a very good presenter.
Love your videos! I will doing web computing in September at uni and these videos are excellent! Thanks
Another great video guys, looking forward to more cool explanations. Keep up the awesome work!
And here's the third one... Tom great as always.
By the way, with Django framework the way to prevent it is as simple and comfortable as adding {% csrf_token %} inside the form tag =).
I love this guy please keep making more videos with him
Excellent explanation in simplest terms!
Ohhhhhh, so that's what the nonce thing is. Thanks Tom!
Lucky for me, I have learnt this in first class of my education.
"A bit more complicated". My new catch phrase. :)
I didn't even know this for 7 years .
you request the token with your script
and later in the script you use that token
easy if the form is standardized-like deleting enemy facebook pages
Will Tom be a regular? His bits are great.
been waiting for this video
Awesome...never even thought of such security issue...I think chrome's sandboxing of the tabs won't help here coz I have seen the sessions and cookies are shared across tabs....Keep it coming - love the videos
You can easily get around the random number thing just by making a PHP request to the site and grabbing that form element and inserting it right into your page! Then the random token will be correct everytime because the data is coming directly from the server.
I simply love all the Tom's videos, very well explained.
Keep going with the good content, Mr. Red T-shirt haha - I don't know if it is intentional or not, so I don't want to be a jerk. :p.
Awesome Video, Systems security is to my mind the best subject to do videos on, keep doing that, this is very interesting, very useful ! Keep UP that good work
It just gets better!
I just learned about nonces yesterday and implemented one ;)
I know this is not relevant to this video, but can you do a video on elliptic curve RSA cryptography?
FIRST!!! computerphile, teaching web attacks since '13
I get the concept of the token, but how does the server know if a token is valid once it gets the request? Since the web is stateless, it creates the form with a random token, then sends it on its way. So how does the server know if a token it gets back is valid? Store valid tokens in memory or a database?
Ya know, if accepting request from other website would work, then the form would likely be accessible by javascript running from the other website as well.
Which means, my javascript could request the form, look for that random string of characters (fairly easily too) and add it to its spoofed request, meaning we would be back to square one.
This guy's videos are brilliant! Web security and hacking is so interesting. :)
Hmmmm, time to add that to my project! :P Thank you Computerphile!
More from this guy!
Interesting as always!
So...what the hell does nonce mean in Britain?
The real trouble with referers is they're user controlled meaning can be spoofed which is why injecting cryptographic checksum/tokens is the only way.
This is much better than your SQL injection video. Too high level for me, but good explanation for the laymen.
thanks for this magnificent explanation!
Why does the camera randomly zoom in some times? it's really distracting.
Couldn't you get around the one-time key thing by creating a hidden/tiny/offscreen (i)frame for the ‘transfer money’ form on the bank website, and then use JavaScript to automatically submit the form?
Speaking of account deletion, it's even safer to create a token and *not* return it directly to the user, but send an e-mail containing a link with this token.
Can you explain this more? I think I get what you're getting at but please explain.
Fuogger You may know this from several websites, when you have to click a link inside of an e-mail to confirm your action.
I love these videos, thank you.
Tom Scott, I want to visit your awesome blog.
Being able to create your own version of a form a send that is a problem in general, as you could also strip out any checks in the original form you don't like.
This guy is so good. More of him! :D
but what if the malicious webpage itself loads the bank site in the background, it can get the token that way.
cross-site scripting is blocked in browsers
as a simple example, say i have a site with a bunch of livestream embeds, and i set up a script that when i press F2, it scrolls to my favourite one
As soon as i click inside any of the streams, say the play button.., F2 won't work
and it'll continue to not work until i click outside again, giving focus back to my own page
The only way they can load the bank would be to actually load the bank visibly to you, because you're the only one that can interact with it..
the scripts can't..., not theirs anyway
I think that what you are saying is incorrect, i have done some coding with AJAX(Asynchronous JavaScript and XML) and it didn't need to be visible to be able to load.
and almost every page on the internet gets data from other sites invisible(i once had a chrome extension that showed which site you visited and where they took data from, an average site connected to more than 20 different websites(like for tracking: google analytic)
I think that the token will be different because it is another loading/creation of the form.
what do you mean other loading/creation of the form, it is not, the site downloads the form and the token, and then sends it back to the bank
oh do you mean, that even for the request of the forum not only the submission needs to be accompany by the token? That would make more sense and would solve that problem, thanks
Really interesting! But how do you know if your bank, etc. is using the token system? Also, can we get a computerphile video explaining bitcoin?