[ottertown]

Man, I work as a frontend engineer at one of the big tech companies and I understood like 25% of this post.

And that's not meant to be a criticism, I'm just reflecting on my total ignorance of most security vulnerabilities. I know about and having implemented some measures against XSS / CSRF, but it's clear there are dozens of attack approaches I'm not even aware of.

I feel like I have some homework to do.

[airza]

The root problem is that something which shouldn't be HTML was sent back with the HTML mime type.

Usually this happens with content type sniffing (IE no MIME type is specified) but it leaves the door open to attacks like these. It changes the handler of the input from code designed to care about security (IE your upload handler code) to code designed to care about usability (MIME sniffing heuristics, or in this case the decompression/rendering library).

When this happens you usually get bad/unexpected results, but it makes it easy to figure out where you can stop caring about implementation details- when the user input leaves the area of the code designed to secure it!

[mettamage]

Well, he's a security specialist. And I feel he's figuring out new ways to attack. If you're not an attacker yourself, then I think you'll always lag behind.

I'm currently taking a security class and what I'm noticing is that I mistake the complicatedness for complexity but in essence most vulnerabilities and attacks have the same high level overview.

What I'm trying to say is: don't feel so bad, if you understood 25%, then you know more than you think. Perhaps you too are captured by the complicatedness of his post ;)

[LeifCarrotson]

> I mistake the complicatedness for complexity

You conjugated the same word two ways. What do you mean?

[saint_fiasco]

Complexity is an adjective turned into a noun.

Complex -> complexity

On the other hand, complicatedness is a verb turned into an adjective turned into a noun.

Complicate -> complicated -> complicatedness

I read that as an implication that security concepts are not inherently difficult but are made difficult by people who explain it incorrectly.

[viraptor]

I think he meant the difference between things being complicated (possibly unnecessarily) and complex (inherently). Simple things can be complicated to the level they're hard to understand, but it doesn't mean they are complex.

[mettamage]

Yes this is what I meant. Perhaps I should've given a bit more context in my original post.

Here's a fun example. English has a lot of Latin and Germanic based words in it that you can construct entire sentences. I was surprised to find out as a non-native speaker. In my opinion, the Latin sentences seem way too complicated to express simple ideas.

Germanic example: In my anger I struck my small sword in his belly.

Latin example: In my rage I injected my gladius in his abdomen.

More examples: http://corrinejackson.com/wordpress/2013/04/23/tuesday-writi...

http://www.antimoon.com/forum/t2068.htm

[pyre]

The two major issues here:

1. Allowing something that is not HTML (and user-supplied) to be returned by the server with the text/html MIME type, causing the browser to want to parse it as HTML.

2. A link between the CDN (Akamai) domains and a top-level sub-domain on Facebook (i.e. photos.facebook.com was aliased to some Akamai domains).

At this point the attacker is able to serve HTML from a Facebook domain. There are things that could be protected against here, but the attacker has a lot of vectors they can go for at this point.

[superswordfish]

It's interesting that you think working for a big tech company makes you especially qualified (or else you would not have mentioned it here). By working for a smaller company, you'd have to know these things or else face a world of pwnage.

> I feel like I have some homework to do.

Start with X-Frame-Options and HttpOnly cookies.

[danielhlockard]

And Secure, if you're using HTTPS (which you should be)

[yummybear]

Don't worry. Facebook's engineers missed this one too.

[keeperofdakeys]

OWASP can be a good guide https://www.owasp.org/index.php/Top_10_2013-Top_10