Nice talk The moral is the same as Spectre: too much push on performance without caring about security
@MherZaqaryann Жыл бұрын
Very clear explanation, respect to this guy!
@SuperMarkusparkus6 жыл бұрын
Sometimes adding a semicolon with some junk thereafter will not change the way the web server interprets the URL. This is common in Tomcat. webserver/path/to/page and webserver/path;junk/to;.junk/page;.css will be treated the same. I guess this could be used as a way to change the extension of the URL and hence make some things cachable.
@derek58637 жыл бұрын
Some penetration tools used to perform automated assessments of vulnerable sites must be adding a lot of data to these caches. Particularly authenticated fuzzing or file/directory brute-force. Let's hope tool developers don't use known file names and locations, and customers always sanitise their test DB's. 8-(
@hackersguild84456 жыл бұрын
Awesome talk.:)
@MrM4X0N36 жыл бұрын
Good talk!
@HackingwiththeMiddle7 жыл бұрын
awesome!
@thesenuts44726 жыл бұрын
Applaud this man.
@director11117 жыл бұрын
Why are you guys putting it online 6 month later?
@SuperMarkusparkus7 жыл бұрын
What do you mean?
@mleczkoxdTakTenmleczko3 жыл бұрын
Using name Java wasn't good idea cause it's a litte bit confuse
@BR-lx7py7 жыл бұрын
IMO you are not mentioning the only real solution: serve your cacheable and personalized/non-cacheable content on different domains. Use a very simple CDN configuration for the latter that does not cache anything, or no CDN at all if your origin can handle that. Otherwise you are only one mistake away from some major egg on your face. It is way too easy to make a configuration error in the CDN, or have the origin send the wrong headers by mistake.
@TheDarkHorseUprising7 жыл бұрын
love this talk so badass
@PitchBlackHat7 жыл бұрын
not as badass as your avatar! ;)...
@jasonlind30655 жыл бұрын
Haha I did this to cheat on my ochem online homework when I forgot to do it and it was about to be due. Still got a B tho