We deliver a 500 page instead of 403 after auto-black list to make the script kiddies believe they broke our website.

@creepychris420

5 жыл бұрын

lool

@manishbhatt7653

5 жыл бұрын

lol

@AskJoeTaylor

5 жыл бұрын

Lol smart

@AskJoeTaylor

5 жыл бұрын

Hopefully they do not use VPN and find that the website is not broken and have professional hackers attacking your website.

@kleckson5489

5 жыл бұрын

@@AskJoeTaylor If you have professional hackers attacking your website you're not really worried about the script kiddies in the first place.

HellNet only returns 666 responses. Confuses the crap out of browsers.

@DMessham

4 жыл бұрын

Wonder if I can do that on my ftp server

An IOT tea cooker that replies with 418 would be the only piece of IOT gear I might actually consider to buy. ^^)

@mayube9292

5 жыл бұрын

418 was actually joke-proposed for the then-fictional "Coffee pot over IP" protocol. The idea being if you ask your coffee pot to make tea, but it's actually a teapot, it uses 418 to tell you it can't make coffee because it's a teapot.

@drumguy1384

5 жыл бұрын

@@mayube9292 This would be a perfect example of using a joke error code to provide real security. I love it!

@untrust2033

4 жыл бұрын

Could be possible with a raspberry pi or something just set up to throw 418s and have some controls for the tea cooker :3

@overtheworl

2 жыл бұрын

@@drumguy1384 "real security"

500 is actually shamefully common even if you're not doing anything weird.

@kiraPh1234k

4 жыл бұрын

Especially in an Enterprise application!

I should set my website up to only throw 7xx errors

@MegaZsolti

8 жыл бұрын

Throw in the 418 as well :p

@AndreasDelleske

5 жыл бұрын

401.0000000000001

@devikakrishna4464

3 жыл бұрын

@@MegaZsolti iit should throw ouy 42069

Not sure why this was listed on the Def Con DVD as a panel… I'm big, but I'm no panel ;)

@z3r0f0xvideos

10 жыл бұрын

Really good talk, man. I'm somewhat new to infosec and your presentation was well laid out and made a lot of sense. Keep up the good work

@aporsuger

10 жыл бұрын

Awesome stuff! Thanks for the entertainment.

@eX0Noah

10 жыл бұрын

Really enjoyed the talk! Funny and informative.

@Jango1989

10 жыл бұрын

Great Talk!

@MAGACAT

6 жыл бұрын

WARGARBL

He's a fantastic first time speaker.

@JoshSweetvale

5 жыл бұрын

English Accent. +10 to Speech

@JayLim-bn9fh

4 жыл бұрын

nice username

@4:00 is actually 732 - Fucking Unic(U+1F4A9)de (turd symbol) haha

Proxy login User- Nice Pass- Try

11:15 Even if you have 8gb of ram... when you suddenly realise the talk is from 2013 xd

@RyanLynch1

5 жыл бұрын

ChillerDragon that's almost enough for like 3 chrome tabs nowadays...

@Masterrunescapeer

5 жыл бұрын

8GB was the norm for dev laptops in 2013, or at least in my company, moved to 16GB in 2015, and half of us have shifted to 32GB this year, with next year having the other half swapped out. Mostly to help with caches on result queries when you're just testing small changes on test data. Normal dev machine I'd still stick with 16 nowadays.

@ukyoize

5 жыл бұрын

I stil have 8 gigs.

@Masterrunescapeer

5 жыл бұрын

@@ukyoize what do you do? If you don't need it, then no point in upgrading/wasting money, can spend it on e.g. a better screen, mouse, keyboard, etc. As I mentioned, for the work I do, it's one of the easiest performance improvements one can do, should be one of the main jobs of your manager to make sure you have the tools you need to be most productive.

@JasperJanssen

4 жыл бұрын

A KZreadr my work laptop is supposed to run a browser and office. 8GB is fine. Not a coder though.

Lol, I actually made that "Loading... Please Wait" picture used at 16:10. You can pay me my royalties in the form of HTTP 7xx response codes

Great stuff. It's surprising how brittle so many implementations are and how simply you can muck things up by going slightly off the beaten path response wise.

@NatoBoram

4 жыл бұрын

I mean, they are beaten paths for a reason. It's to ensure interoperability between services and tools. Malicious scripts are just using this interoperability to their advantage.

Oh, I forgot about this talk Absolutely pristine, well spoken wonderfully given talk on the subject Somehow, even as we reach DEFCON 31 somehow every part of this is still very very astute in regards to current affairs and Internet management Nothing changes really does it What a Time to be alive To this day, my absolute favorite lecture I do hope to find more by this man-he seems to be ahead of his time or conceptually people that make browsers don’t move with the times either way what a gem of a human So glad KZread suggested it

You could combine the "HTTP tarpit" idea with a full slow loris-style thing to _really_ extend those scan times.

@trevorthieme5157

5 жыл бұрын

Fun times fun times!

@whatever1502

5 жыл бұрын

Rly nice idea :'D

410, because this website is only available when all planets, including but not limited to the ones of our solar system, line up.

i love watching these presentations. Thank you for uploading. Not a script kitty, interested in first principles. Learning linux via Vinux, reading up on Unix and other whys and hows of computing. This is the next best thing to going. Fully capable of admitting I know nothing. No one gives a shit about the geek blind lady any way. Happy to continue nibbling away at the bytes and bits of computing that are available to me.

@minihjalte

10 жыл бұрын

Its not script kitty, its script kiddy. Script Kiddy.

@corymarsh

10 жыл бұрын

minihjalte Now I want a Script Kitty.

@minihjalte

10 жыл бұрын

Cory Marsh They are quite cheap actually, i think they go for 5 dollars right now.

@corymarsh

10 жыл бұрын

minihjalte Do I need to buy a special keyboard for the script kitty or can they use a normal mac keyboard? I am assuming they come pre-trained.

@paulhendrix8599

7 жыл бұрын

Alex do consider that this could have been a joke. Check out AvE, man

That moment when you know most of the stuff is going over your head, but the gist is there, you can understand that much, and you're enjoying what you KNOW is about to follow.

He has a real nice voice to listen to

does anyone know where you can get the files from this talk?

31:00 I know a way to counter the strategy of sending random or static status codes. Just run w3af like normal but use charles web debugging proxy ( or any other proxy ) and automatically replace every statuscode with a 200. You showed that 200 statuscodes takes the scanning software multiple hours longer to complete but at least the scan will be accurate.

How can I get the slides used in this video?

41:39 What web standard is he using from 1990?

Just thinking on the authentication error. Send bad ASCII. Bell tones?

So you mean I should stop 301ing attackers to their own loopback? I might have to investigate that 1xx idea, though. That sounds like fun.

I like "737 - FuckThreadsing"

Probably not a good idea to use, i would be worried that browsers change the status code behavior in different versions. Firefox 30 could behave differently then Firefox 45. One displaying the content and one not displaying it.

@elukok

6 жыл бұрын

Not everything. Most major functionality stays the same, at least trough the miner releases. The things mentioned here will probably be different every small release. It would be quite hard to keep up and test every new version of the browser. Automating it would be one solution though.

4:58 does he really say "Gesundheit!" ?

@averagegeek3957

6 жыл бұрын

Ja, hat sich so angehört.

@talhatariqyuluqatdis

6 жыл бұрын

Daniel Brunner ich bin ein berliner

@mcMineoc

5 жыл бұрын

It’s a common word in some parts of the US

@boblewis5558

5 жыл бұрын

@@talhatariqyuluqatdis you're a hamburger?!

@Grimpmann

5 жыл бұрын

@@mcMineoc Only douches who want to seem cool.

About 23:00 when he talks about telling the website you're using a different browser than what you actually run... Opera had this fantastic feature to: a) "pretend to be browser x" b) "mask as browser x" with browser x being firefox or internet explorer - with chrome just appearing over 5 years later... That was a feature that I regularly used, when websites wouldn't load, because I wasn't using their preferred browser. When using the "wrong" browser, they would not even try to show the content, but just display a warning message... For most websites it was enough to use solution (a) to get it run, which I guess just changed what opera rightout TOLD the website about what browser it was. On SOME websites that would fail though, and you would have to "mask as...", which now I guess made Opera send the typical respond of [whichever browser it was masking as] for the most generally used "browser detection" status codes, when receiving them.

@alexbuhl1316

5 жыл бұрын

I still use opera. on every front they actually innovate. I love it. >50% doesn't work out, yet they still try again and again. commendable.

@kiraPh1234k

4 жыл бұрын

As an aside to this: Bypassing a browser check like that can result in using a broken web page. Often, if the site has a preferred browser, it's because they use some feature they know to be implemented on that browser that isn't implemented on others, or they use some specific browser extension (activeX, moz, webkit, etc). It's certainly bad programming on their part and an annoyance, but at least they're giving you the message that says "Hey, I know my garbage web page only works properly in Firefox" rather than letting you wonder why the site isn't working properly.

@johnfrancisdoe1563

4 жыл бұрын

Rue U There's also Goanna that is a complete Gecko fork.

@NineSun001

3 жыл бұрын

@@kiraPh1234k Mostly it is used to block out old and skimpy browser which don't comply witht he RFC. Of course I can use a ployfill, but honestly I don't want to serve an IE8 in 2021 and people should feel bad for using it.

@kiraPh1234k

3 жыл бұрын

@@NineSun001 Uh, no. The situation i pointed out of a web developer using features that exist only in specific browsers is much more common than a situation where a web developer is just not supporting very old browsers. These situations will often happen because either the developer wants to utilize a web feature only implemented on one browser, or wants to implement a browser feature as part of their project. So usually these are browser specific extensions like moz, webkit or activeX controls (and even out of those it's mostly activeX and moz...). You will see this go side by side with supporting only Firefox or only Edge (Firefox so they can keep using moz, or Edge for activeX). This is actually why I used Firefox specifically in my first example. Since it's never a leader in implementation of RFC you'd almost never want to support just Firefox which has some of the worst web compliance of any available browser. So to be clear, in most situations and especially in situations where you see "Only works in IE" or "Only works in Firefox" - this is because the developer isn't following web standards/RFC. It's not because they're stopping RFC compliant browsers (Like say, Chrome, Brave or even Edge - all of which implement more of the RFCs for HTML5/CSS3 and such than Firefox. Next time you see a site supporting only Firefox, look at it's source. Most likely you'll see them using moz extensions for things which other browsers use normal HTML for. Edit: Remember, most humans have bad habits - even in their jobs. Programmers or web developers have never been an exception.

About fingerprinting, I guess you could do all of those with x-webkit-* CSS directives

One of my pet peeves is that a lot of 404 responses are more correctly 410 responses. 404: "Not here, try again later"; 410 "Not here, and won't ever be here so don't ask".

@kiraPh1234k

4 жыл бұрын

It's a bold assumption that some request will be invalid forever.

@NineSun001

3 жыл бұрын

THis is wrong. 404 statest that the requested resopurce was never here to begin with. 410 states that an existing resource got deleted. Every 410 should become over time a 404.

Tongue slaps

Really cool info on http and how to bend rfc vs reality. However i dont think this type of obscurity is very sustainable through turnover in companies. I could see using honey headers or other kinds of trickery to get attackers to reveal themselves and their techniques more clearly, but you have to be able to manage these kinds of configurations. It would be better to hold to standard configuration for your production stuff and throw curiosities in the environment to distract ne'rdowells and make their presence and their movement more obvious. I can get behind obscurity helping security, but you cant confuse your developers and 3rd parties as to why your webserver is always showing 300 or 400 when everything is working just fine.

Start watching at 19:50. First 20 minutes is a complete waste. This is talk about HTTP response codes, specifically about two things: 1) Different browsers behave differently when receiving rare HTTP codes. You might use it to detect the real browser person using. It's easy to fake request http header with browser info, but it's harder to fake browser behaviour and fewer people will do that 2) You can really confuse automated scanners by returning rare/wrong/random HTTP codes If these two things are not of your interest than you don't need to watch the talk. Otherwise start watching at 19:50. First 20 minutes is a complete waste.

Awesome :)

Error 200 - This is a nice message telling you to piss off nice, i am soo using that >__

I've been pronouncing nginx as "en-ginks" for years.

@kiraPh1234k

4 жыл бұрын

Same, and now I can't get "N Gin X" put of my head

411 Ouch. Really don't want to get that one huh.

@sticky170

6 жыл бұрын

411 that's what she said

Thumbs up for numbers )

I would call myself a script "kiddi" but in a good way, let me explain. As i started to get interested in these things i was 28 years old and i tried my best to start with some python but honestly i just cant remember all that stuff lol. But im still interested in it and want to know how these things work and such scripts help me a lot to understand at least basicly whats going. Im just messing around in my home network and my biggest "achievment" was to crack my own wpa2 network. A lot didnt work but i didnt give up and researched a lot of things and at the end it worked. So yeah i think it isnt allways bad, i learned some things, i felt i achieved something and at the end it was also a lot fun. Anyway have a nice day folks ;)

@JoshSweetvale

5 жыл бұрын

The vernacular difference is the same as the one between difference between 'noob' and 'newbie'. Taking scriptcode apart isn't what 'Scriptkiddies'(vernacular) do. They find these programs and use them as blunt instruments of cyberwarfare, without much thought as to how. The 'lout with a brick' of hacking.

@adgasdggfg

5 жыл бұрын

Give a man a wifi password and he has internet for a spot Learn a man how to hack a wifi password and he has internet forever

@luxzartheglorious

5 жыл бұрын

@@JoshSweetvale skript kiddies will beat you with a stick, where a skript noob will learn to sharpen said stick

I use this talk as Ambien, it's perfect.

@yxngsixto.4401

5 жыл бұрын

ayeeee.

420! It is used by Twitter!

@Yuzuki1337

5 жыл бұрын

Error 420 - the cache is too high

... Why does he sound like 'Internet Historian'?

601: i like this guy

Dude have a drink

"The wisest man is the man who knows he doesn't know jack shit" ~socrates

I worked for a company that used 503 - busy/try later response codes for all email not in a custom white list. Seems smart since spam never retries emails, but sometimes neither does legitimate email servers. Fucking nightmare

500 I see a lot because I like to miss punctuation in php

awesome talk man

Nice talk unless the comment about loadbalancers. Loadbalancer like F5 or Cisco can help you a lot with fighting of skriptkiddies and DDoS. And If you host websites, you have loadbalancer, at least for redundance.

39:21 the regex is wrong, it should've been parentheses instead of square brackets. This means there should be more than a 1000

@atorac

5 жыл бұрын

() parentheses are for group matching, no use there.. res[p|ponse]? matches 3 options: res resp response Which is exactly what he meant to do. Not crazy complex and gets the job done.

@AssemblyWizard

5 жыл бұрын

Puffo Sciamano No, `res[p|ponse]?` matches: res resp res| reso resn ress rese While `res(p|ponse)?` matches res, resp, response Like he wanted. Or better - `res(p(onse)?)?` Know your regexs.

@atorac

5 жыл бұрын

@@AssemblyWizard oh my.. uops :) I stand corrected, kids dont drink and regex

i like this dude

42:50 - I want to go to Defcon

Why would you have to restart your android phone when you can go to app and force close it 🤔

4:59 Gesundheit

You don't need to be mean to the people with spiders! They aren't hurting you.

I'm something of an edge case myself

200 Hacking Appempt Detected...

Way too many problems with this: I believe this is bad for SEO. No research was done about how this affects screen-readers. This could negatively affect bots that a marketing department uses to do things like scanning a website for info about the internal link structure. I could see a caching mechanism or a caching preload bot failing to cache pages that do not return a 200 response. Programs that analyze the health of the network will fail to work properly. And some of these programs it would be interfering with could be third-party programs that would have to be replaced with in-house solutions.

@lerubikscubetherubikscube2813

5 жыл бұрын

Could you not have this setup to change the return code rules dynamically depending if you want to use a tool to check the health of your website? Also, could you not whitelist certain bots while still avoiding malicious ones?

@kiraPh1234k

4 жыл бұрын

Actually, this setup is easy to use with in house interference. When you have access to your own network, it's a different beast than the Internet coming in. The Internet traffic is restricted to whatever you exposed to them, but from inside you could for example, simply use your health checking tool on the server directly, ignoring the proxy that all the internet traffic is coming through, hence getting all the correct response codes into any needed tool. Edit: It likely won't actually impact SEO much either, mainly due to search engines using content and reference to judge rank, not response code. It could impact the spider's ability to crawl the site, but there are solutions to that as well.

if you sent 404 on every request then most libaries would have *issues* GET-ing pages, like python requests would throw an exception lel though its worth mentioning the PS4 browser does check for status code 404 then display a generic "Not found" message^

@destiny_02

Жыл бұрын

And so does Chrome Mobile

why assume everyone scanning is a script kiddie?

@visvge4934

2 жыл бұрын

Anyone scanning without your permission might as well be considered potentially checking for weaknesses

699 - Deez nutz

@paulhendrix8599

7 жыл бұрын

Lone Wanderer is 666 a thing?

Appachkey

Why not just write code without wurnerabiblities?

....why is he using IE6 as the Internet Explorer example? IE has been decent enough since IE9 came out and IE10 released nearly a year before this talk.

@thedarkness125

5 жыл бұрын

Internet explorer still isnt decent.

@johnfrancisdoe1563

4 жыл бұрын

ShroudedWolf51 He only mentions trying "all" IE versions and IE6 being the extra weird one.

This has to be fucking terrible for SEO lol

good primer

Am I the only one noticing Bitcoin miner scripts in the sources of websites these days? That's some shady shit.

@asbeltrion

5 жыл бұрын

Wait, what?

i HATE that browsers don't respect 410 Gone for their stupid fucking favicon requests and keep DEMANDING more favicons even though every response is me saying NO it's NOT HERE and is NEVER GOING TO BE HERE

@isbestlizard

4 жыл бұрын

how much net traffic could be saved if fucking edge and mozilla and chrome RESPECTED 410 Gone for crappy speculative requests and STOP ASKING on that domain/whatever

@isbestlizard

4 жыл бұрын

i wish my wishes came true except typing them here as a reply to a random video about http status codes probably isn't going to make it happen :

@isbestlizard

Жыл бұрын

I was right then and I stand by old me

i use lynx!!!!!!!!

@nullplan01

5 жыл бұрын

For youtube?

@pteppig

5 жыл бұрын

Oh, that was you

im going to save you 49 minutes, common scanning tools are poorly crafted when it comes to out of the ordinary http response codes, you can (as of 9 years ago) fingerprint which browser a client is connecting with with php using response codes. sending random response codes to suspicious ips can cause scanners to behave strangely. in the end more of a deterrent than any real solution

Hello dear friends Today we get notified of the censorship of our channel by the new KZread Guidelines (who change every 6 months) because of "Content reusing without including substantial original commentary or educational value" This is a little bit tricky because these Guidelines wasn't there in 2013, 2014, 2015 and so on... It is abnormal to change the rules during a game ...even more before Christmas! Since 2013 we are trying to share the best Security Conference on our channel and we need your help to keep it up. As you already know I was fighting the disease since the last 2 years and it's difficult and without resource and support I wouldn't be able to keep up on this way. You can support us on Patreon if you find our work valuable. You can also express your dissatisfaction regarding our situation to KZread on Twitter, Facebook, Instagram and wherever you can. to help us regain our rights. Your support in anyway will be truly appreciated Thanks guys for taking time reading me and stay tuned! Merry Christmas to you all and God bless you all! www.patreon.com/HackersOnBoard Bitcoin Wallet: 1NWM4upgKj8iF7zknzmnHG8Mm2pvAyTHqc

WORLDSTAGE- be safe, have fun. But RESULTS AND irreconcilable RUIN Runs Randomly recurring risk.

Eu só fiz isso pois não quero ser preso por hackers vcs. Simples assim.

Opera is awesome again dude, it's 2018 check that shit out

A 300 fold. wut

i dont understand anything

@talhatariqyuluqatdis

6 жыл бұрын

Angry addict lol

@jonharson

6 жыл бұрын

Found the script kiddy.

GG first GG

What if you speak at Defcon and don't drink because of Bipolar and Autism?

@undefined879

5 жыл бұрын

blackneos940 what

@blackneos940

5 жыл бұрын

@@undefined879 I asked exactly that. :)

@thesuperpunmaster6369

4 жыл бұрын

@@blackneos940 do it pussy

"a 300 fold" .....

this is *by far* the most lost i've been watching a defcon talk

I'm a little late here xD but I have my servers set up to try to attack the person who's attacking me back

@luxzartheglorious

5 жыл бұрын

He's 13 now

Wow, you tested IE from the current one for this part of 2013 clear down to 1.0, eh?

it freaks me out every time a English speaker says "Gesundheit". since it's German for health

@RnBandCrunk

7 жыл бұрын

Rou Lor it's the equivalent of "bless you" in english.

@ERIK31351

5 жыл бұрын

Why would that freak you out?

@nopenope7184

5 жыл бұрын

@@ERIK31351 Because "bless you" at least somewhat makes sense and just saying "health" is weird.

@alex190291

5 жыл бұрын

the german set phrase "Gesundheit" has its origin in the idea, that you wish health ("Gesundheit" in german) for yourself when somebody sneezed around you. But nowadays it means you wish "Gesundheit" for the sick person, even if the origin is, that you wish health for yourself :D

I hate it that they disrupt talks for drug usage.

@alex190291

5 жыл бұрын

@Bobby Fisher i also hate, when someone disrupts my drug usage for talking...

@robpatershuk

5 жыл бұрын

I much prefer when a talk incorporates drug usage. Far more interesting than the alternative.

@thedarkness125

5 жыл бұрын

Man that alcohol is so evil. I wish the devil would burn them down with his fury...shut the fuck up.

So... what if some "script kiddies" are watching this and will now learn how to circumvent this kind of defense?

@Roxor128

5 жыл бұрын

Script kiddies are called that because running scripts is about as far as their computing knowledge goes. They don't have the experience to modify their tools to circumvent these measures yet. If they're interested enough to try, they'll probably develop a more-productive interest and end up writing code for a living or end up becoming security researchers themselves a decade down the line.

Haters lol lazy hackers is all a skittie is

@kiraPh1234k

4 жыл бұрын

Nah, that's too much credit. A hacker actually creates solutions to problems and makes tech do what they want. A script kiddie is generally not a hacker, they have less interest in engineering any solutions and more interest in commiting crime.

"No one cares about edge case stuff" says someone who knew nothing about ai as late as 2013.

Oops, there's no such thing as a "PHP page"! Why? Let's see if you can figure that out! ;-) Opes, didn't figure it out? Because "PHP" already _stands_ for "__________ _page_ "!

you could rediredt attackers to childporn so the police breaks thair doorin the next 30 minutes xD

@SJWBach

6 жыл бұрын

maybe even government honeypods and not real childporn so they arrive even faster xD

@ownageDan

5 жыл бұрын

@@SJWBach ecksdee

@luxzartheglorious

5 жыл бұрын

@@SJWBach yer

"the big three" "Firefox" This video did not age well

"Each to their own"? Oops! What did you think that means? The common phrase that's reminiscent of that is actually " _to each_ their own" (or "to each his/her own").

"Respond back"? So you're saying... like... "say something back _back_ "? Oops!

It would have been better if he was a little bit more polite.

Guess what: there's and _easier way_ to say names of years like 2013 instead of "two thousand [and] thirteen": Remember from last and previous centuries when you said "NINETEEN-thirteen," etc.? Well, that method works in this century too; it's less syllables just like before! Try it today!

The speaker is pretty melancholy. He's pretty negative. Depressing. He needs some counseling and encouragement or something.

@sebastians3773

4 жыл бұрын

He's British. That's racist.

Oops, there is no such character as "Miss Pac-Man." Why? Because the closest thing we have to that is Ms. Pac-Man ("Ms." refers to either married or single; "Miss" is for single only.) But good attempt at a joke with that, still!

@jwadaow

5 жыл бұрын

Hello Kitty Lover Man! Ms. Being a fake artificial article

"I know... nothing." Yeah, like... where to use commas or _not_ use them! Case in point: "The wisest man,"... (oops) ...."is he who knows,"... (oops again) ..."that he knows nothing." Well, not _absolutely_ nothing.

"No one really cares who the speaker is"? um... do you think you're a mind reader? I have news for you: you're not one!

"TL;DR"? Nope, this is a speech with visuals, so more like... TL;DW! ("Watch"!)

OR... why not just scan your sites yourselves and then _fix your vulnerabilities?_