B Web security research team at the time, may be more concerned about the safety technology in one direction, like a knight role. And to the Internet companies, are also considered Party, then we not only pay attention to the safety engineer safety technology itself, more important is to understand the relationship between security and business, this time we have a sense of builders, we need to think about how to help products more robust, so that more healthy our business.

Of course, a short step a thousand miles, as an Internet security soldier, did not rise to the level of security policies and programs, my day was associated with a vulnerability as partners, the minute Emergency Response Center (SRC) and Product security Niece two-part work for it – Experiences

First, the Emergency Response Centre (SRC)

We do not produce vulnerability, but we do not just loopholes porter.

In SRC daily workflow Brief description:

Receiving Vulnerability; Validation Vulnerability; notify the person in charge of the repair (may repeatedly discussed the hazards and vulnerability fixes); vulnerability retest; confirm the vulnerability fixes

So, from a vulnerability is found, the final restoration this is a closed loop, well, then this is not successful, then twists and grooves which point …

1. there is a white hat called understand that you know

Previously, cross-platform vulnerabilities themselves to the hole, because lazy or did not know, in the hazard and repair recommendations in the often fill in a suit, you know (There are similar you more professional, you know more about, I know everything ), pretending to look older drivers (brother is so chic) ~One of the problems with digital electronic data is that it is so easy to copy and therefore is difficult to destroy once released.Until I came to the SRC … I want to cry, I do not know ah, seeking with ah cousin, cousin you pay loophole you want to be responsible for me ah! ! !For chestnuts, Figure Honey, you told me that you stick Photo, saying you know, is to say? ? ?

I really look stupid to force .jpg ~ whatever the outcome, to question the link ah, whatever the outcome, you tell me you this dz_ssrfscan.py program can not share, can not download to test … At this point, I can only 45 & deg; look the sky, as if sand lost his eyes.

Cry, this time, I can not live up to the trust of white hat, we can not lose face for the SRC! By analyzing the title, find the corresponding site, and then look at the screenshot workers in the dz_ssrf supposedly discuz of ssrf vulnerability (made with detective-like), if it is not properly handled himself had before, we must find from the Internet Base , then look at the test article to learn, hard to measure out oh, half are gone …

So, here I want to repent, I will never, you know, so, SRC soldier 'favorite is the kind of vulnerability reports to write clear, reproducing the required information is available, but also provides own suggested fix, we commonly refer to this white hat called, Qinge! Ah, Qinge! Oh a plus，Ah, my vulnerability confirmation link has been completed, the next step is to notify the person in charge of the business sector.

2. and a look ignorant force: XSS is playing a box? This vulnerability I opened a blank URL is not no problem?

This cited ssrf example of a simple note, for there is no echo of ssrf, then zero cost recognized I was used through the loophole interface requests presence and network resources do not exist and then compare the return time, through a non-existent file pages return time significantly faster than the existing file to infer the target server requests the url of our submission. This, for the first time encountered this loophole for people who really need to understand.Here, a flaw in the most difficult part has been completed.

For a confirmed vulnerability, the process flow I think the most difficult point is how to help the business side of the situation can be reproduced vulnerabilities, and to move them with affection enlighten them with reason to explain the problem, so that business Fang also understand vulnerability to hazards, to help find the causes of the problem.

If it is not good communication, it is misleading, such as if the explanation is not good for XSS, XSS business may think that playing a sweat box …

3. repair: There are several ways, floor there are twists and turns

First, the work schedule is the problem, if there is no bug fixes and operational side kpi hook, then convince the business side as soon as possible to repair or to take some more tongues. But as long as everyone is to make business better and safer, the problem is not large.Then is the confirmation of the repair results.If a reflection type of XSS vulnerabilities, and then repair business, said the last review found, repair method is that interface methods banned GET HTTP method, and then a GET on the XSS turned into POST mode XSS … Are you kidding me? And business communication by saying that because the interface is called more, not all of a sudden changes, and then after discussion, recommended that the data interface declaration statement from html format into json format, so that the browser does not resolve execution. Taking into account the interface calls are more difficult to change in a short time, we also understand the situation as a safety engineer business, regularly follow up until the bug fixes, but for GET POST change of XSS this repair method, as security testers we are It does not recognize.

Because safety engineers is their security perimeter, we understand the business situation, but also have their own security for professionalism and ethics, for business processing process can be flexible, but for the ways and means of handling vulnerability to carefully verify, and adhere to their professional knowledge, this is our professional dignity.

Emphasize that: As SRC loopholes handler, only to find loopholes and can reproduce the vulnerability is not enough, more importantly, to find the causes of vulnerability, and can be combined with business conditions, give the most reasonable rehabilitation program is two points behind Investigation handler vulnerability levels. Also, a vulnerability was discovered to be repaired throughout the life cycle, accounting for communication and exchange is very high, it should be more than 50%, so a qualified SRCer, should be able to know these and know why, but also can be a good expression and communication.

Therefore, living in SRC, service in white hat with our products and business team, although we do not produce vulnerability, but we are not just loopholes porter.

Second, product safety Niece

Before the company's products or business lines, often require security sector beta, is designed to eliminate some of the security risks and the key functions for safety checks, the internal security tests are also the focus of their daily work. Here, we must make a few feelings.

1. what their homes will be able to freely test it?

It is not the case, even within the company's products, nor is it that they want to test on the test. First, there is a red line, that is, for on-line business and service deployment where the production server, not authorization should not be easy to test, even testing, we should try to do violence or scan large flow break. Because, for the online system, under normal circumstances, we must first ensure that the system availability. Imagine if the electricity supplier server as your test abnormalities lead five minutes of downtime (lost not say), which resulted in accidents. So, for the safety of the builders of the Internet, it should not only consider the technical, as well as discipline!

And in most cases is a test environment within the network, in this case you do not have to worry too much, as far as possible to find more vulnerabilities it ~

2. bold judgments, careful verification, reduce false positives

For example, the test target server supports unsafe HTTP methods when using the OPTIONS method saw the return package allows PUT, DELETE methods do not directly determine the presence of vulnerabilities, one by one method to be tested, we have to think carefully first activated in a different directory the methods may vary, sometimes OPTIONS detectable open approach and in fact they can not use, and even OPTIONS request response returned by a method not listed, but it is possible that the method is still available. After really sure, but also to communicate and the business side, whether you really need an open extensible HTTP method, if you really need, how to set permissions and so on.