Note to self.. Check types of incoming information, not just that it exists.

Fun fact: in PHP 8 these warnings for incorrect types passed to functions kill the script with an error instead

this is why every production php application should hard crash on warnings

The deadly bug is PHP itself.

"Let's craft a cryptographic function which is very likely to be used in security contexts, and let's not fail when unexpected things are passed to us. What could go wrong." I'm livid.

That HMAC function definitely should have just thrown an error. It is incumbent on the programmer to know all possible states of a given algorithm, but if you look at the documentation null isn't even listed as a possible return value for hash_hmac. The fact that it's a cryptographic function, I almost have to wonder if that was put there intentionally. This definitely shows the importance of proper user-input sanitization.

Thanks for the super detailed walkthrough. I love how you concisely laid out your thought process and the various ideas you had or the checks to do, whether they worked or not for this instance.

I watched this video first a year ago, and now I am watching it again. I understand so much more but don’t feel like I could even get close to solving it. December 2020 I will come back and see what I think then.

I originally thought the "deadly bug" was the use of PHP.

this is the fourth vid i have watched by you and i have to say, youre a real mvp. I am interested very much in the stuff you cover on your channel, but not enough to really get into it or to justify dropping other hobbies for it. Thank you for more or less staying at the same niveau of needed knowledge for the most part. great content, keep it up ^^

"Stupid brain, so unreliable" Story of my life....

I can't code, but you explain well enough that I'm actually beginning to understand bits and pieces and patterns.

I started with Php when I was a young teen... Misplacing the argument/parameters in methods is far too easy and common. Php is a language of inconsistencies, always important to triple check for that sort of thing.

You left out the Environment Elephant in the code room issue. On unixy servers that have multiple users, it is often easy to see the environment variable values of another user's processes. So if anyone else on that server can see your secret, they could possibly do more damage than just what that one script has access to. This is a known security issue that has popped up at times over the decades. In hardened OSs, users may be blocked from seeing the process of other users (and thus their environment), but that shouldn't be assumed in web code.

So... The vulnerability was actually 2 dumb and exploitable vulnerabilities... That hash_hmac function gives a WARNING when fed an array and returns a NULL?? also... the secret can be NULL... (facepalm). What gives? What is the benefit of having a NULL secret? Please, let me know, I'm puzzled.

This video after long time reminded me of what amount fun we can have. Thanks for the great video.

I don't know anything about coding and KZbin recommended this video. I have no idea what was talked about in this video but keep it up, good stuff.

I’m surprised you didn’t at least mention the timing unsafe hash comparison. PHP has a built in hash_equals() function to mitigate...

It's php, that's your deadly bug right there.

This is the first time I understand why people dislike PHP ... cheesus. EDIT: is this hash_hmac part of the core lib or some 3rd party screw up?

whatching php bugs is just like watching wheels turn. It never ends.

Very good explanation, but as an habit I always check if a variable is null if the function may return null. That is a great example how it can have effects on live servers, not very visible at the beggining but if someone covers it your data and privacy is gone. Oh, also your money too.

I honestly had no idea you could pass an array like that

Man you are doing an amazing job at these kind of videos ! Really enjoyed this one ! Keep making similiar kinds of videos . Getting into the nooks-n-crooks of things is what I always wanted !

Thankyou! as someone trying teach themselves code, your explanations were really informative.

Nice videos. I enjoy them (even though I already know a lot of the stuff). Your way of thinking matches a lot of how I think when looking at code.

Great video, i got to the same part as you at the end but i couldn't figure out what kind of input would change the type, and I got lazy and just watched the video instead

Thanks to the subtitles i can underestand all ty liveoverflow

thumbs up for using redstar os. ;)

This was such a good video! Please make more like this. You've earned a loyal subscriber :)

Also, timing attack on "!==" might be possible.

Thanks for another awesome video!! This channel gets me pumped to capture some flags :D

On top of what you found the last line itself is a deadly bug, Passing data directly into exec opens a door for all kinds of injections.

Love that. Back when I was young, I did such thinking all over the day and found so many critical bugs in different servers. I somehow even managed to get into a MySQL backend that wasn't even secured with a login, so with little coding experience and never hearing of PhpMyAdmin, I had control over sensitive data. Of course I did nothing bad.. it was a gaming server (CS 1.6) and I just played around with my own stats to see what will happend and get some experience about PMA. Back then I was so good at playing that the admins thought that I am cheating (the server had a mod called "Uwc3 Mod" in which you could get a skill to steal money from your enemies.. combined with experience and sounds from the enemies, predicted shoots trought the walls after hearing small steps and seeing that I get money, would make me KNOW that an enemy is there.. of course this looks like I can see trough walls) so I got banned from the server. While looking at the PMA I also cound a banned users list.. so I tried out if I get unbanned when I remove my self from there.. was funny having such might! But like Spiderman said.. with big might comes big responsibility.

why does youtube not recommend people like you... why do i have to search so hard!!!

Great thinking. In the end it's all so obvious! There must be so many vulnerabilities in my code...

I've watched a few of your videos now and this is the first time I really understood what you were saying. I learned about Hashing algorithms in my SEC+ class. I just wanted to share my happiness for knowing like 80% of what you were saying.

obv the bug is

Uncovering the deadly bug was truly exciting !

In PHP, === is often optional, and quite often, == is what you want, since the type juggling it does generally makes sense, and are often useful. In JS, === is pretty much mandatory, since it's type juggling skills are about as good as someone driving after downing 2 cases of beer.

Most PHP frameworks turn warnings/notices/errors into exceptions so that will mitigate these sort of issues.

An other possibility is PHP is configured so all errors are fatal. If the PHP do not have an error handler, it usually display them with the scope variables. That would expose the value of $secret, allowing you to forge any signature to futur requests.

I watched this video when it came out. 2 years later I am a php developer and I watched it again. It felt completely different :)

A lot of similar bugs would simply never exist, if PHP would use strong typing. It is really annoying that you can't even rely on the equal sign. What would be the best practice to bulletproof this code? - check agaings NULL secret -> checks against this specific bug, others may still exist. - check every user supplied variable to be the valid type, i.e. not an array and are string? - I think the hmac function should die. It is a security function, I can't imagine a worse outcome of a hash function than it is always returns the same value regardless of the input data. Is this behavior considered bug by you? - By the way, passing directly a formally unchecked user input to exec also does not seem to be the smartest thing either. :-)

There is no salting value to generate a value to test against the hash issued, no filter_var on the input and no white listing and the exec function can be exploited.

Every single video on this channel is amazing and 100% informative. ..... I love this channel....

more of these challenges please

Awesome video! Really made me understand better how to approach something like this.

First I thought, you could bruteforce the nonce, just try it until you get from the server something else than 403. But then... WTF PHP Why would you return NULL here? That's completely unexpected. If I use a hash function, I'd expect it to return a hash. Hash functions do nothing else, what ever you give them, they return a hash. And that hash would be as you expect a hash to be. Which is certainly anything else than NULL. Of course you can't just cast an array to a string, that's a type error. But the function should then either set the second parameter to "0" (lazy but still not breaking because here the nonce is always "0" and you still get a proper hash) - or throw a proper exception and die. Once again, sloppy designed build-in functions, that behave unexpected.

9:47 i had to get here and get reminded that you can to client-side php arrays, and then... i bet that if you supply an empty array, isset == true, but then output of the hash functions is either predictable, or a predictable gibberish (for example it spits out null or false or something like that), making all the rest of the checks "pass" == get skipped, basically

For someone who is just starting off with programming and only knows the anatomy of code so far, this was oddly logical :o :) One piece of feedback: My eyes didn't like the sudden transition from dark to bright white backgrounds :)

This is absolutely awesome. Thank you for making this.

I had paused the video at the beginning and came up with a completely different answer: the !== likely stops upon the first mismatching character, leading to a timing side-channel. (The time it takes for the server to reject your request increases with the number of correct characters in the submitted HMAC, so characters in the correct HMAC can be learned one-at-a-time by seeing which next character results in the highest average response time.)

PHP team, please update your documentation. Inform about returning null value. We developers heavily trust your documentation.

if you could capture just one valid message from a request, then you can break this a different way. example: assume you capture a request where the host = 'www.example.com' and the hmac = 'foobar' (just ignore the invalidity for simplicity). now you can predict the secret: if you use 'www.example.com' as the nonce then you know the final secret is 'foobar' and can hash your payload with that

I love how you explain it. :D

BTW, „$hmac !==..“ is not a secure comparison, it is not constant time. Use hash_equals($s, $t) instead to avoid side channel leaks about the validation hash.

I clicked only after you mentioned about the array input trick. It's not even a thing in languages I usually use. They just throw uncaught exceptions and crash.

Amazing video man i have been learning a lot in this lock down this is all because of you and John Thanks a lot for making videos and spreading knowledge amazing work . Lots of respect to all those who share knowledge.....

Ironically, this video is causing the Roku KZbin app to crash. It's only happening when I highlight the video from the front page, where it animates the videos in a preview. Selecting the video in subscription has no preview animation and doesn't cause the crash.

I expected a completely different approach to that challenge when I reviewed the code in the beginning. I guessed that the challenge description contains an example invocation of that PHP script *without* the optional nonce, so you know the HMAC for one specific safe string like "www.google.com". In that case, you could input the safe string as nonce, and the new nonce-specific secret will be the public HMAC for the safe string, which enables you to calculate the HMAC for any input you want.

Everyone is saying how PHP sucks, but probably haven’t written anything serious in it. It’s a good language if you know how to use it, just like any other language.

Literally every word went above my head..... Still watched the whole video xD

PHP is the fractal that keeps on giving.

It's like php is developed specially for hackers. Checking the type and value of a user input before passing it into a function is good practice for any programming language though.

before watching: does it have to do with the exec? and couldn't you basically use the post value as a way to run code through it? (i never really looked at php, i have little to zero knowledge what the code does but i can assume) edit: ah nvm

Oh yes, little bobby tables, we call him!

I actually got as far as determining that the goal here would be to set a value for nonce that would allow you to compute the hmac that made the !== statement true, but I'm not a programmer so wasn't able to determine on my own what to set the nonce to. I was really big into studying the security of the xbox 360 and learning how all the exploits worked so that definitely helped me out here.

The fact that hash_hmac doesn't exit the code on such an error is actually shameful. What is the use of having it return a NULL value and return? The sole purpose of it providing a secure string is just absent then? In that case, a function without an actual function.

the biggest bug is that input for the exec was not escaped at all

Took me a bit, but I effectively ended up following the same path as LiveOverflow. My first thought was to try and force an integer or float type into the nonce, but that wasn't giving the results. Then I remembered that POST parameters can be arrays, and the rest followed. One line fix, by the way: $nonce = "".$_POST['nonce'];

I am programming PHP at the moment. Coming from C++ the security of the code is lifted to a whole new level when programming PHP. These are always the unpredictable things in the language, C++ is much more straight forward in my opinion in that regard.

I never knew PHP could be so much fun! Terrfic vid!

Pretty good. Thank you for sharing your knowledge

Your logics are amazing!

I really liked this video topic and format. Thanks!

well normally that shouldn't be an issue, you should always validate user input, i learned that the hard way.

The missing curly brackets is it first thing that caught my eye.

Love this kind of video and would like to see more like it!

0:04: execute arbitrary data without filtering, set “host” to “lorem ipsum; murder_computer();”

learned a lot , thanks for your video

I thought the answer would be forcing that !== Line to check null = null and pass but really i have to know that hmac function inside out to reach the real answer.

Before solution: The secret used in hashing is dependent on user input

I understood none of that, but have the feeling that I learned something.

the deadly bug is the whole PHP language

Root insurance car ad comes on: Hello, we are root Me: 🙄😯 how did you get root

Besides executing non-escaped shell code from a user-generated request, one that can be rather manipulated as well (there's a couple things wrong here, but the unsanitized user input being executed using exec()... Yeeaaa, bad shell code is bad. Also to those shitting on PHP, it's not a bad language, it's the coders themselves who practice bad coding. It's a rather powerful language in the right hands that can do some very crazy stuff, see ReactPHP for example, pretty much creates a Node-like async runtime environment right there in PHP.

My guess formatted as type: < LIBRARY : Shell view! > >> python3 phpRunner.py Which PHP file? >>> challenge.php Executing... Complete! Output: Console output: SyntaxError: Expected { on line 10

Since a lot of you guys hate PHP, what are some substitutes for it?

Bro I am missing your videos 😭😭.. keep upload this type of videos

Great video ... thanks man for sharing

The host parameter is not sanitized. An attacker can pass extra commands to the exec function and cause them to be executed at the same privilege level as the php script.

I was completely bamboozled until i remembered that PHP is the language with cryptographic primitives that **** themselves for no good reason. These are the kinds of things that put PHP on the blacklist for me. I'm not that fond of the stylistic aspects of the language -- that's my original reason for dropping it. But even if I was willing to put up with that, I would need major reform of the standard library to be willing to touch it. The strict types feature in PhP is a step, but it's nowhere near enough. Things like the inconsistent handling of null bytes in strings make me constantly worry that code which looks perfectly sensible will explode for no good reason. I'd also need a corresponding reform in the PHP ecosystem in order to do much of significance -- many of the "big players" in the ecosystem have awful track records. How much of that was really inherited from the language and standard library? How long would it take for them to actually transition to this hypothetical, sensible version of PHP?

Excellent explanation. You deserve my subscribe.

Can reproduce this in 2022, was there any changes in PHP? Fatal error: Uncaught TypeError: hash_hmac(): Argument #2 ($data) must be of type string, array given in .... hash_hmac('sha256', Array, 'asd') ....

if they are going to play a game, use line numbers -- makes it easier to call out the offending line(s).

PHP is always so full of surprises!

At 8:15 as you talk the bug was clear to me, isset could be also null :) then secret will be null and thats the exploitation

Who does not love dynamically typed languages!

Damn that! When I first saw this I didn't couldn't understand shit. But, today I saw it again and now that I understand it, I wanna explore more. Thanks man! You inspire me to keep going