maciejpedzich/maciejpedzi.ch
1
0
Fork 0
mirror of https://github.com/maciejpedzich/maciejpedzi.ch.git synced 2024-09-19 17:56:20 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Remove redundant story section

Browse Source
This commit is contained in:
Maciej Pędzich 2024-09-04 19:41:28 +02:00
parent 363d42166a
commit 33fb45e0cc
Signed by: maciejpedzich
GPG Key ID: CE4A303D84882F0D
1 changed files with 0 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
src/content/blog/going-global-with-localhost.md
View File

@ -251,83 +251,6 @@ Failing to do so makes all the aforementioned components increasingly more susce
You also have to be wary of hosting services that allow users to submit text, images, videos, etc. because apart from malicious users trying to exploit potential holes in the submission mechanism, they could also try and abuse that platform to post hateful or explicit content. You also have to be wary of hosting services that allow users to submit text, images, videos, etc. because apart from malicious users trying to exploit potential holes in the submission mechanism, they could also try and abuse that platform to post hateful or explicit content.
Speaking of which, I'd like bring up a story of me _hacking_ one of the web development industry's heavyweights to showcase just how much power and room for abuse I've gained with very little effort.
## Bonus story: "hacking" Wes Bos
Let me preface this section by stating that my goal is not to dunk on Wes or claim that I'm somehow a more skilled developer than him (I'm anything but). I only want to tell a cautionary tale of exposing services and IoT devices with lax or nonexistent security measures in place.
Chances are you've heard of [Wes Bos](https://wesbos.com) before. You might have taken his [JavaScript30 course](https://javascript30.com), listened to an episode of his [Syntax podacst](https://syntax.fm), or given him a [follow on Twitter](https://twitter.com/wesbos) (I'm never calling it X) just like the other 385 **thousand** people and bots.
Let's rewind the calendar to 19 August 2024. I just so happened to be casually wasting my time on that site when I noticed [this tweet from Wes](https://x.com/wesbos/status/1825559690216132726). If you can't access the link, it said:
> This might be a bad idea but go to [local.wesbos.com](http://local.wesbos.com) and try take your photo. It should print to my printer
My boredom was dead on the spot, because the curious yet mischievious George in my head just had to find a way to get this printer to repeatedly spit out an image of my choice. But what kind of image did I ultimately end up submitting? In hindsight, I probably should've rolled with a somewhat more tasteful joke, but hindisght is 20/20 and I'm still yet to invent an _undo past_ button.
Anyway, past me concluded that the perfect choice for a photo to send would be a Dick pic, but not just any ordinary Dick. We're talking the 46th vice president of the USA, Dick Cheney. Why exactly him? I guess he was the first Dick to come to my mind at that moment.
I had a really narrow time frame to work with, but that's when my vast experience in doing homework right before the deadline came in clutch and allowed me to reverse-engineer the photo submission mechanism and produce the following script to send a Dick pic just as long as the server was up.
```js
import { readFileSync } from 'fs';
import { setTimeout } from 'timers/promises';
const dickPic = 'data:image/png;base64,'
+ Buffer.from(readFileSync('dick.png')).toString('base64');
async function sendDickPics() {
let ok = true;
while (ok) {
await setTimeout(5000);
const res = await fetch('https://local.wesbos.com/', {
method: 'POST',
body: JSON.stringify([dickPic]),
headers: {
'Next-Action': '6ee7743577654da9ae36dc07718e86a493377b1d',
'Next-Router-State-Tree': '%5B%22%22%2C%7B%22children%22%3A%5B%22__PAGE__%22%2C%7B%7D%2C%22%2F%22%2C%22refresh%22%5D%7D%2Cnull%2Cnull%2Ctrue%5D'
}
});
const resText = await res.text();
if (res.ok) {
console.log('DICK PIC SENT!');
} else {
console.log(res.status);
}
console.log(resText);
ok = res.ok;
}
}
sendDickPics();
```
The hardest part was figuring out that the `Next-Action` and `Next-Router-State-Tree` headers were necessary to trigger the bit of server-side code responsible for interfacing with the thermal printer. If you were to omit them, you'd get a `200 OK` HTTP status code, but also a generic _Not Found_ page in the response body. That's why I decided to log it in my script.
At any rate, I ran the script and after 5 seconds, there was a success message along with the expected JSON response from the API endpoint. 5 seconds later, another one. And yet another one, until about a minute or so later, the handler got disabled and it only took another minute for Wes to send [a follow-up tweet](https://x.com/wesbos/status/1825568577040093426). And sure enough, there were a handful of Dick pics being printed as he was recording!
Think about the gravity of this situation for a second. I could've instructed the printer to print... anything. From cute dogs and cats to the most disgusting and obscene imagery one could think of, all thanks to a few lines of code.
Some of you may say that I'm overexaggerating, and that Wes was certainly going to shut the site down after a few minutes regardless. However, it doesn't change the fact that I was able to gain this level of control over a _smart_ device, simply because an online service for interacting with it got published with nothing in the way of preventing abuse.
The server never verified whether each request was coming from a legitimate or a malicious user, but also whether the image was appropriate or not. I'm also positive there was no rate-limiting either, which means I could theoretically get rid of the `setTimeout` call in my script to make it more annoying if I wanted to.
Of course, I'm not implying that Wes wouldn't implement any of the aforementioned security measures if this was meant to be a production-ready app. I'm also not saying that my server is immune to every cyber attack in the book just by the virtue of not accepting user-submitted content and setting up a few firewall rules.
But the moment you expose a means of communicating with your device, you can be certain that someone **will** _at the very least_ attempt to abuse it. It doesn't matter if it's a random guy from Eastern Europe bored out of his mind or a state-sponsored hacker group looking to recruit more zombies into their botnet.
I reckon that the following fragment of a rap song by [Dual Core](https://dualcoremusic.bandcamp.com) titled [_All The Things_](https://dualcoremusic.bandcamp.com/track/all-the-things) perfectly sums up the story and its:
> Regardless of the hardware, service, or encoding
> Connect it to the internet
> And someone's gonna own it
(The whole track is amazing, go buy it if you can)
## Wrap-up and acknowledgements ## Wrap-up and acknowledgements
Thank you for reading this script all the way to the end! I highly recommend you check out the talk video I've linked to above, since it features more graphs, slides, my voice, my face, all that good stuff. Thank you for reading this script all the way to the end! I highly recommend you check out the talk video I've linked to above, since it features more graphs, slides, my voice, my face, all that good stuff.