ISC StormCast for Monday, December 5th 2016
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 4 December 2016
⏱️ 5 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Monday, December 5th, 2016 edition of the Sandinand Storm Center's Stormcast. My name is Johannes Ulrich, |
| 0:09.5 | and I'm recording from Jacksonville, Florida. Gareth Hayes has a really interesting blog post at Portswaker |
| 0:17.2 | about how polycloth images can be used to bypass content security policy. Polyclot images |
| 0:25.5 | aren't really a new issue, but in particular with cross-site scripting, they're now getting |
| 0:31.3 | more and more attention, I think rightfully so, because there are a number of different bypass techniques that can be |
| 0:40.2 | triggered, can take advantage of these images. The term polycloth images does refer to images |
| 0:47.8 | that are by themselves valid image files, but they can also be interpreted as something else. In our defending web applications |
| 0:57.9 | class, for example, we have an example where we do have a valid JPEGM image that's also PHP code. |
| 1:05.6 | And really all that's done in that case is to insert PHP code as a comment as part of the XIF data. |
| 1:13.6 | Now in this particular example shown by Portsbigger, it's a little bit more complex, but essentially the entire image is also JavaScript by inserting comment characters in the right spot and then using just some 0 bytes for padding. |
| 1:32.9 | This Portsmicker blog post also has a number of real great links that sort of introduce you more |
| 1:38.8 | into what polyglot images are beyond this particular application of them to bypass content security |
| 1:47.4 | policy. Any good pentest class should have told you that as part of your reconnaissance, |
| 1:54.4 | you probably want to look for any code that developers have posted on sites like Stack Overflow asking for help. |
| 2:03.6 | Well, a researcher now went over all of these postings on Stack Overflow |
| 2:08.6 | and tried to figure out how many of them do include SQL Injection vulnerabilities. |
| 2:15.6 | He focused on PHP here and essentially wrote a script that went |
| 2:20.0 | through Stack Overflow to find all PHP code with a SQL injection vulnerabilities. And he found |
| 2:27.8 | that a staggering 40% of code samples in questions did include SQL injection. |
| 2:35.0 | Now if you wonder if SQL injection is ever going to go away. |
| 2:40.0 | In this particular experiment the data goes back to 2006 and really the rate was amazingly steady around 40%. |
| 2:50.0 | Now without any more detailed analysis the data set is a little bit |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.