Gabor Javorszky - @javorszky - 6th August 2019
Slides: wpbristol.j7y.co
In the context of software or information modeling, a happy path is a default scenario featuring no exceptional or error conditions.
Amazing, 7 Eleven launch mobile payment app: a day after launching it attackers stole half a million USD from customers, as the app had no security around password reset (any user could reset anybody else’s password) https://t.co/EyBrcFYMlL
— Kevin Beaumont (@GossiTheDog) July 4, 2019
Not exactly. Code releases go through a CI process and geographic/customer segment tiered rollout. On the other hand, WAF Rules are generally more like a configuration language. We push them out to respond to new attack threats. Customers expect them to be live globally quickly.
— Matthew Prince 🌥 (@eastdakota) July 5, 2019
https://blog.cloudflare.com/details-of-the-cloudflare-outage-on-july-2-2019/
It’s long, full of technical details, and just amazing at its complexity.
One morning ~3700 emails went out that shouldn’t have gone out.
A QA engineer walks into a bar. Orders a beer. Orders 0 beers. Orders 99999999999 beers. Orders a lizard. Orders -1 beers. Orders a ueicbksjdhd.
— Brenan Keller (@brenankeller) November 30, 2018
First real customer walks in and asks where the bathroom is. The bar bursts into flames, killing everyone.
Had to have this explained to me by programmer friend pic.twitter.com/bUhCUBqxJM
— John Rentoul (@JohnRentoul) December 2, 2018
Wait, this gif is based on a true story? pic.twitter.com/Lk7z9rmaNm
— Richard Yannow (@RichardYannow) December 2, 2018
All of these situations arose because software was made to do something that the humans writing it had not considered.
Undergone PCI compliance training for client.
Had conversations where unknowns were present.
Regular Tuesday when I deal with an API that just goes away.
It's what makes WordPress extensible.
Also what makes WordPress very easy to break.
Every single esc_* function in WordPress is there because of this.
Additioanally wp_kses_* and the PHP native strip_tags() functions.
Let's handle payment with a card through an API (Stripe for example)
You post some data, and you get some data back, for example an autocomplete service.
What happens if that service starts returning poisoned payloads?
But also it's just a good practice anyways. Suggestions:
Removed bits first.
WC_Order_Factory::get_order( $order_id );
$classname = apply_filters(
'woocommerce_order_class',
$classname,
$order_type,
$order_id
);
return new $classname( $order_id );
+
add_filter( 'woocommerce_order_class', function() {
return 'NoSuchClass';
} );
=
Warning: Uncaught Error: Class 'NoSuchClass' not found in ...rip
$classname = apply_filters( 'woocommerce_order_class', $classname, $order_type, $order_id );
if ( ! class_exists( $classname ) ) {
return false;
}
return new $classname( $order_id );
+
add_filter( 'woocommerce_order_class', function() {
return 'NoSuchClass';
} );
=
// false is returned
👍
$classname = apply_filters( 'woocommerce_order_class', $classname, $order_type, $order_id );
if ( ! class_exists( $classname ) ) {
return false;
}
return new $classname( $order_id );
+
add_filter( 'woocommerce_order_class', function() {
return 'ClassWillThrowExceptionOnInit';
} );
+
class ClassWillThrowExceptionOnInit {
public function __construct() {
throw new Exception( 'No instance for you' );
}
}
$classname = apply_filters( 'woocommerce_order_class', $classname, $order_type, $order_id );
if ( ! class_exists( $classname ) ) {
return false;
}
try {
return new $classname( $order_id );
} catch ( Exception $e ) {
wc_caught_exception( $e, __FUNCTION__, func_get_args() );
return false;
}
+
add_filter( 'woocommerce_order_class', function() {
return 'ClassWillThrowExceptionOnInit';
} );
class ClassWillThrowExceptionOnInit {
public function __construct() {
throw new Exception( 'No instance for you' );
}
}
$classname = apply_filters( 'woocommerce_order_class', $classname, $order_type, $order_id );
if ( ! class_exists( $classname ) ) {
return false;
}
try {
return new $classname( $order_id );
} catch ( Exception $e ) {
wc_caught_exception( $e, __FUNCTION__, func_get_args() );
return false;
}
+
add_filter( 'woocommerce_order_class', function() {
return [ 2 ];
} );
But why would anyone DO THAT?!
Can you mathematically PROVE that that won't happen? Nope. So handle it.
Software fails gracefully, enters a state where it can either restart itself, or tell the user that it failed, why it failed, and what to do to not fail again.
All without preventing further work.
Lack of time
Lack of management buy-in
And...
Yeah people who are mocking CO's security people are being meanie poo heads. 99% of the time there's a glaring sec flaw there's an email from an exasperated engineer saying "THIS IS ALL BAD" and someone replying "we accept the risk"
— The Cyber (@r0wdy_) July 30, 2019
Exactly that. Many good orgs carry a metric ton of risks because the organisation has chosen to accept them, I don’t think people realise
— Kevin Beaumont (@GossiTheDog) July 30, 2019
People should never take my tweets as laughing at InfoSec teams btw, as I’m in the trenches doing same thing. It’s a good learning moment tho
Pretty much all of this: https://github.com/kdeldycke/awesome-falsehood