Monthly Archives: August 2020

Captain’s Log: August 2020

The good

  • Little bit of charity – The #BoycottYourBed charity was raising money for Action for Kids. The idea was simple; go sleep someplace other than beds in your home. I could not get the kids to focus on the live stream. Because they were too excited about a massive den that was being built to sleep in. It came to a sticky conclusion when a kid prodigiously vomited over much of the den… So.. I scrubbed, cleaned, and then relocated to the kids room on the floor in a snuggly pile. Until that point it was probably the most fun the kids have had in months.
  • Back to School – The return to school has been amazing. They were so bored at home for such a long time that no amount of amusement seemed to do. Now we are having a much happier kid and much better weekends together since everyone isn’t knackered.
  • Adventures Outside – We made it to the park together at weekends because, as I said, everyone wasn’t totally knackered by my days off. It has been a long lock down and a struggle to get everyone outside at the same time. This was very good. More of this.. oh. whoops its winter. The leaves are falling 😀
  • 10k steps rolling on every single day – All the way back to Christmas Eve 2019. Some seriously… Seriously tough days in August. Early in the month Kid A succumbed to food poisoning and I basically didn’t sleep for 7 days while sitting up with them. But here I am another month more into this stupid goal!
  • TV – Ashes to Ashes – What a show. It has taken quite a while to re watch but it is such an excellent programme. That ending is absolutely sublime and you should not read the rest of this blog post if you have not watched Life on Mars and Ashes to Ashes. Drop whatever you are doing and start watching them. They really pay out.
  • Audiobook #1Rama II by Arthur C Clarke – Listening to the first one has really lit up my brain for thinking about the cosmos again. Getting the second one the moment the first one ended to continue the story was *obvious*. This time we are given characters and tension based on them interacting which is interesting. The first one now seems like some idyllic jaunt now by comparison. Very entertaining.
  • Audiobook #2The Garden of Rama – In for a penny eh? Straight into the 3rd part. Anything at this point is probably spoilers.
  • Gaming Rise of the Tomb Raider was this months PS Plus title. I devoured that. I like single player titles with a story. It basically was like “tomb raider does Arkham Asylum”. The mechanics are all giving off super batman vibes. That is a good thing because it is possible to play stealthily. The game says I have approximately 97% completed it. Given that is based on collectables that are not on the map I am considering is it really worth walking every area to go further? After completing games they should just mark things on maps in vague areas with circles to search in.

The bad

Had a bit of a panic attack over the last weekend of August. As before the triggers seem clear. Not sleeping well again and having rather a lot of things going on at the moment. Even when the things are awesome and well worth it. It is still a reminder to get more sleep.

Highlight of the month

Work highlight: I delivered a job and got some amazing feedback from the customer. Never underestimate the value of feedback (positive, and negative). Be kind, stay constructive. Other than that tell everyone all of the things all of the time!

Life highlight: I said I couldn’t sleep right? I made a stupid short film because I was asked to make a single monstrous slice of toast. I mostly wanted to document the horrible slice of toast existed.

Using Jython’s PIP to add dependencies to Burp Extenders

Ever wanted to use 3rd party python libraries when making a Burp Extender? I had somehow avoided it until recently.

Warning: Be aware before pasting in the commands below that I think they configure your new pip environment and store all dependencies inside a new folder within the current directory.

In a nutshell it works like this:

java -jar jython-standalone-2.7.1.jar -m ensurepip
java -jar jython-standalone-2.7.1.jar -m pip install --upgrade pip
java -jar jython-standalone-2.7.1.jar -m pip install jsbeautifier

Making dependencies available in Burp

You need to configure the Python Environment on the “Extenders” -> “Options” tab as shown:

The second option needs to point to the folder where pip just initialised itself to. For me it was inside the BurpSuitePro folder as shown.

The source for this wizardry is the video below:

Happy Extender making you python wizards.

Retiring old vulns

There I was finding a lovely Cross Site Scripting (XSS) vulnerability in a customer site today. Complete beauty in the HTTP 404 response via the folder/script name. So I started to write that up.

I peered at the passive results from Burp Suite and noticed a distinct lack of a vulnerability I was expecting to see:

I looked at the HTTP headers and saw this peering back at me:

X-XSS-Protection: 1; mode=block

Burp was correct not to raise that issue because it detects where that very header is insecurely set or non existent.

For the uninitiated the “X-XSS-Protection” header is supposed to tell web browsers to inspect content from the HTTP request which is then present in the immediate response. It had a laudable goal to make reflected XSS a thing of the past, or at least harder to exploit.

Chrome liked it so much it defaulted to having it enabled. Even if the server didn’t bother setting it. This caused much consternation.

Stawp making the world safer Google… Jeez!

I thought ah this is my testing browser (Firefox) I must have overridden the XSS filter.

  • So I try in Chrome.. *pop pop*.
  • So I try in Edge.. *pop pop*.

I think I google “Is X-XSS-Protection still a thing?” and stumble across this nugget:

Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

No. It is not a thing. Has not been a thing for a little while.

The modern approach is to ensure that you use robust Content-Security-Policy settings. The radical approach is to prevent XSS by secure coding practices which will just never ever catch on.

Security tools and scanners including: nikto, burp suite, and nessus all still pull this header out as something to be reported on. Does it have any real relevance if user-agents simply ignore it now?

It may impact older browsers. But generally when you are talking about any web browser that is old. There will be some way to completely control the victim’s computer. Logically you should only concern yourself with where the herd is running at today.

My approach is to take this out the back to put it out of its misery with a few rounds through the head(er). Then I will stuff it and mount it onto my wall next to “Password Field with autocomplete enabled”. Which is itself deprecated based on browsers also choosing to ignore it.

Time rolls on and standards change. Lets have a round of applause for good old “X-XSS-Protection”. It has been a good sport. A brilliant contender but sadly it never truly saw its potential realised because Arsenal kept buying replacement wingers. It never got any game time.