One Code Mistake Ruined This Website
Key Takeaways
The video analyzes a cybersecurity challenge where a small code mistake in a YAML file allows an attacker to bypass a flag check, and discusses the importance of secure coding practices and the use of tools like Sneak Link to prevent such mistakes, using tools such as Docker, Node, Express, and YAML.
Full Transcript
in this video I want to show you a small gimmick with a pretty common markup language so take a look at this this is a small web application where you as the user can view other country flags and translate hello world in different languages you can specify scroll and select what world country you might be from and then you could see hey it changes flags that you can translate to in any other place you might like there are tons of different options as to what country you might choose and where you might be able to translate and view the flag but this is ultimately a capture the flag challenge it's a small exercise task and activity to test you on some cyber security skills and this challenge comes from laf or a capture the flag competition hosted by the University of California in Los Angeles and the challenge and competition is over the CTF has ended and I'll be showcasing this as a small simple writeup for that challenge if I zoom out here just a bit and go take a look at the challenges we can scroll down to this web application challenge called flag Lang now there isn't much to The Prompt here it says simply do you speak the language of the flags we have a link or URL to the challenge and a downloadable file obviously the gimmick and the joke of viewing country flags is to view a capture the flag challenge flag now I can go ahead and simply download The Challenge file here just azip file and I'll go ahead and open up a command line I am inside of my C Linux virtual machine so I'll move into a directory that I have already created called flag langang and I'll move from my downloads that flag .zip that we just downloaded I'll go ahead and unzip that file so we can work with everything that's provided here and there's a lot of sweet stuff so I'm going to open this up in my text editor I am using Sublime Text so I'll open the whole current directory and now we can dig into some of the interesting files looks like I had one cached here but I think we could go ahead and start with simply the docker file this is pretty simple there's not much to it we are going to be using a node instance so likely serers side JavaScript an Express framework we've got an application directory package Json that defines our dependencies and the source code of our application the command ultimately to run that web server first things first we could go take a look at package.json to see the source code of this application looks like it will'll just be running index.js as the server couple dependencies here cookie parser Express and yaml ooh that one's a little bit interesting with that we can expand the source code and let's move into this app.js this pulls in a couple libraries or modules that it will require and then actually grabs a yl path where it's joining the current directory and the countries. yaml file we'll dig into that in just a second as it reads through it and then Define some other convenience functions to be able to look up information from the countries that it must have pulled in from that yaml configuration file looks like it will Define a secret which is serers side information that we will not know as the player of the CTF challenge here but it looks like it will also parse cookies based off of that secret we have some assets that we could serve from the server and a couple different functions that the Define really the functionality of the application looks like there's an endpoint to switch with a couple HTTP get parameters or query variables like two that we might be able to switch to a different flag as you saw as we were playing with the application here scrolling down we also have a view function which likely allows us to view some of the flags we were digging into and the forward slash or just the root of the web page the default index that we load here will just send the template file replacing some of the information that's pertinent to the state of the application with that we could go take a look at that template and this is just the HTML or the hypertext markup language that would define the structure of the web page you can see all these sort of dollar sign variables and values things that might be passed in to include some templated data hey given from the application server but this is pretty simple this is all static we could see some client side code to find in assets here that our is our flag. JS file which gives some Dynamic capability like filling out all of the options for flags that could be read from that yaml configuration file and anything that we might interact with like hey buttons select drop downs etc etc now all of this is alluding to that countries. yaml file and this is just yet another markup language or yaml again markup language you might be familiar with alongside Jason toml and others but yaml has a couple interesting idiosyncrasies in some peculiar gimmicks ultimately I'm assuming our goal is to read something from flagan and that's a fake country that's not real right there there is no country in the world called flagan as far as I know but it has a code here FL a message that's presumably the flag just redacted a password that would have been necessary and an interesting deny list seemingly including all of the other country codes that I guess we aren't able to read things from it's kind of odd but look let's go try in the application just viewing in our web browser to see if we could just view or see the flag from flagan let me go ahead and toggle this I am from the United States personally so I'll set that as where I am from and I'll change this to just go to flagan looks like that's at the very top here but it says flagan has an embargo in your country so I am not able to see that uh any other country like hey turkey or whatever also if I tried to visit flagan will tell me that has an embargo and I'm not able to view that country's flag and translation and message we could probably put two and two together here thinking that this deny list is what's going to tell us whether or not there is an embargo and we're able to see that data or not and again we could see that view it just in the source code and logic from our app.js we could actually see hey this definition here if the country deny list includes the other ISO that we're working with then it'll just return that message there is an embargo there obviously inside of the countries. yo file this has the definition for all all of those countries that we could interact with hey it'll include its ISO code the message and all these options and their own Deni list which is empty for just about all of these so the question remains now how could we read the information from flagan and obtain the flag or the secret the key the token that proves and validates that we have solved this challenge that's the gimmick here so we will answer that question in just a second but before we do look I try my best with these videos and the only reason that I'm able to put out as much content as frequently as I do alongside my day job and everything else I do in my life is because thankfully I have sponsorship I really hope your understanding of that but please if I may I'd love to tell you about sneak if you've been prioritizing secure code for a while now then you probably already know about sneak but if you're not familiar listen up sneak is your best friend for secure software development it integrates into your existing workflows like inside your ID e or even your cicd pipelines and so much more all to help you find and fix vulnerabilities and honestly sneak is awesome at this they've been recognized as an industry leader by Gartner Forester and Fortune and they're trusted by developers all over the industry at AWS Google Salesforce at lassan and so many more their team is always putting out incredible research like even the recent leaky vessels vulnerability so here's the gist no one should be deploying code that hasn't had a security check so make sure your code is secure before you deploy out your applications and projects with sneak you can use my link below in the video description jh. life/ and get started to develop fast and stay secure with sneak now let's get back to that yo configuration file and again there are so many different countries listed here but we might be able to find something odd something that sticks out something that stands out maybe like a sore thumb I don't know it's it's really just a test of your eyes here but thankfully syntax highlighting in a lot of common idees or Smart Text editors can help clue you in on this and I'm scrolling and I'm scrolling and eventually I want to hit one that is a little bit interesting if I finally move down into these letters here and we reach n we'll get into the country Norway and I don't know if you can see it but take a look Norway has an ISO value in a code set as no or n o and that is in purple when everything else is yellow so you might be already tracking what I'm digging into here let me show you a quick example here let's say I were to create a new file just as a playground to Showcase this I'll set the syntax to yaml so we have that syntax highlighting here and I'll just Define maybe an object for the Galaxy or our world or our universe whatever and that could have maybe a planet and we can call that planet just earth right that's fine I don't know capitalize Earth and then we could say the sky is blue as one of these attributes or properties here and I would just simply say yes it is true that is a value that I might like we could say oh here's a population or whatever we'll add in some numbers I don't know whatever the heck it might happen to be we could say the species is human I don't know if there were aliens in some other planets or something we could have some fun with here but look at how all of these are either yellow or purple now that purple one has a little bit of a gimmick here because the sky is blue I said that to a Boolean value now normally when I Supply a string like human or Earth as the name here I could wrap this in double quotes or single quotes to have yaml denote this is a string value but it'll automatically figure out look that's probably a string value now when I enter the word true that is a Boolean value that isn't really going to be triggered as a string because it's smart enough to say Oh you mean true as a zero or one Boolean value and thankfully yl makes us a little bit nicer because you could just enter even the word yes as the value for our sky is blue as a Boolean value now you're probably following down this road here here because I could say false if I didn't want to say I don't know the guy's like green or whatever now if yes is a Boolean one we also have no as a Boolean false or zero look a little familiar that is the I here if I actually move back to our countries. yaml file we'll notice that Norway is the country with that code of no or no as the letters not as a string but as a Boolean value so if I actually move back up here to check out flagan in the deny list if I were to cruise through all of these values we could go find our string no and that as being the country code for Norway but again that is now wrapped in those double quotes and it's clear that's meant to be interpreted as a string however down below later on in the Declaration of all this configuration info no o is provided not as a string but as interpreted as a Boolean value so this Clues Us in as to how we might be able to take advantage of this say that I not coming from my usual hey home country of the United States again remember we would not be able to view flagan as the country that we'd like to see with that flag value it has an embargo but Norway is the one special unique country because of this tiny little oversight if I actually navigate hey go use Norway as our option here we'll select that we'll get the flag and how we might say it but oops looks like something's a little bit broken if I now try to go to flagan that no value is being treated as a Boolean false and it is not in the deny list so flagan will give me the pure flag lctf here's the full flag Norwegian yaml fans in shambles and that's it that's the solution we could go copy and paste this I'll right click and go put that on the scoreboard say I would go ahead and submit that and we're looking good but the CTF is over right still I really like that little trick I think that's kind of a neat little gimmick to harp on and I'm digging the comment here hey I love chat GPT translation maybe they just use some AI generative whatever llm crap to spit that all out and they didn't even realize that no o gimmick is now going to be ending up uh evaluating as a Boolean value false and not considered a string as defined in the deny list I like that I thought that was kind of neat and cutesy by the way we saw in a lot of the code that this is actually kind of handled and interpreted with those cookies right we were able to extract that with the secret given and it checks this with a bunch of the cookies that are provided here and how the code and application works but if I were to get back to my web browser and I'll hit F12 on my keyboard do some sweet Missouri hacking I'll move into the developer tools browser stuff here and I could go into application as the tab scroll over to the cookies section for storage here and we have a couple cookies if I were to delete these if I were to start with a blank canvas completely fresh clean slate I'll refresh this page here I'll close out of the developer tools hit F5 on my keyboard This brings us right to the flat instance of the page but before I've actually toggled or set where I'm from in the view section here for the flag I'd like to you know start with if I were to just immediately switch into flagan it won't know where I came from to begin with and we could just kind of cheese the challenge right away uh it'll just spit out the flag and you could avoid hey finding that yaml flaw or gimmick but again I think that's some pretty cool knowledge for our own learning and education with all that said I hope you're a little bit smarter on yaml the yet another markup language and one of those small little gimmicks and peculiar idiosyncrasies on true or false false Boolean values yes or no and when you want it to be acting as a string but it's not and it's another value that might trip you up in some code and application and hey you do want to make sure that your code is secure so again seriously please do give some love to our sponsor sneak Link in the video description you should seriously be using it if you write any code especially for your job in like devops devc all that stuff sneak has got to be in the mix thank you so much for watching hope you enjoyed this video like comment subscribe and I'll see you in the next one
Original Description
https://jh.live/snyk || Try Snyk for free and find vulnerabilities in your code and applications! ➡ https://jh.live/snyk
Free Cybersecurity Education and Ethical Hacking with John Hammond
📧 JOIN MY NEWSLETTER ➡ https://jh.live/email
🙏 SUPPORT THE CHANNEL ➡ https://jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok
💥 SEND ME MALWARE ➡ https://jh.live/malware
🔥 YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from John Hammond · John Hammond · 0 of 60
← Previous
Next →
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
Tutorials? MySQL connection with PHP and Bash!
John Hammond
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
JavaScript Splits The URL!
John Hammond
HTML Tables in Python!
John Hammond
HTML, Net Shares, GML!
John Hammond
Python 08 Programming Style and Comments
John Hammond
Python 26 Object Oriented Programming
John Hammond
75 Python Tutorials, Out Now!
John Hammond
Batch 14 Mathematical Expressions
John Hammond
Batch 85 Array Append
John Hammond
Batch 86 Array Count
John Hammond
Batch 87 Array Index
John Hammond
Batch 88 Array Insert
John Hammond
Batch 89 Array Remove
John Hammond
Batch 90 Array Reverse
John Hammond
Python [colorama] 00 Installing on Linux
John Hammond
Python [colorama] 09 Cursor Position
John Hammond
Python [hashlib] 02 Algorithms
John Hammond
Python 00 Installing IDLE on Linux
John Hammond
Python [pygame] 11 Rectangular Collision Detection
John Hammond
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
Python [XML-RPC] 01 Research
John Hammond
Python [pyenchant] 03 Personal Word Lists
John Hammond
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
Python 04: PEP8 Coding
John Hammond
Python Challenge! 17 COOKIES
John Hammond
Google CTF 2016: Ernst Echidna
John Hammond
Google CTF 2016: Spotted Quoll
John Hammond
Google CTF 2016: Can you Repo It?
John Hammond
Google CTF 2016: No Big Deal
John Hammond
Google CTF 2016: In Recorded Conversation
John Hammond
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
Homemade CTF Challenge: 04 "UPX"
John Hammond
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
Juniors CTF 2016 :: Six Strange Tales
John Hammond
Juniors CTF 2016 :: Lost Code
John Hammond
Juniors CTF 2016 :: Here Goes!
John Hammond
Juniors CTF 2016 :: Southern Cross
John Hammond
Juniors CTF 2016 :: Clone Attack
John Hammond
Juniors CTF 2016 :: Dirty Repo
John Hammond
Juniors CTF 2016 :: Hackers Blog
John Hammond
Juniors CTF 2016 :: Voting!!!
John Hammond
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
Juniors CTF 2016 :: Stop Thief!
John Hammond
Juniors CTF 2016 :: ROFL
John Hammond
Juniors CTF 2016 :: Restriced Area
John Hammond
Juniors CTF 2016 :: Oh SSH!
John Hammond
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
HackCon CTF 2017 "Bacche" Challenges
John Hammond
More on: Security Basics
View skill →Related Reads
📰
📰
📰
📰
Australia finds serious gaps in Big Tech’s response to child sexual abuse online
The Next Web AI
The Future of Endpoint Security: Why Visibility, Intelligence, and Automation Will Define the Next…
Medium · Cybersecurity
Why Every Cybersecurity Product Needs Enterprise-Grade Connectors in 2026
Dev.to · Shivang Patel
Malware Deep Dive: Gandcrab
Dev.to · jordanricky1604-ship-it
🎓
Tutor Explanation
DeepCamp AI