CODE BLUE, profile picture
Uploaded byCODE BLUE
PDF, PPTX1,082 views

[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson

The document details the development of a scalable fingerprinting tool using Chromium automation at Veracode, covering its architecture, components, and challenges encountered over the years. Notable elements include a message queue for processing URLs, the use of browser automation for data capture, various coding solutions to handle database challenges, and the results of the scanning project. The final outcomes reflect on the number of security header scans, violations, and the analysis of prevalent JavaScript libraries and frameworks.

Technology
Related topics:
Web Security Overview

Embed presentation

Download as PDF, PPTX
ISAAC DAWSON, AROUND THE WEB IN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION VERACODE 15
VERACODE AROUND THE WEB IN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION ABOUT ME: ▸ Previously at @stake, Symantec (10 years) ▸ Moved into research role at Veracode, Inc. (6 years) ▸ Living in Japan for 12 years ▸ I <3
VERACODE AROUND THE WEB IN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION IT ALL STARTED IN 2012…
VERACODE AROUND THE WEB IN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION SECURITY HEADER SCANNING HISTORY ▸ All scanners use the Alexa Top 1 Million URLs ▸ Galexa (November 2012 - March 2014) ▸ Golexa (March 2014 - February 2016) ▸ Creeper v0-v1 (February 2016 - July 2016) ▸ Creeper v2 (July 2016 - …)
ARCHITECTURE THE SYSTEM:
VERACODE AROUND THE WEB IN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION SUMMARY OF SYSTEMS & COMPONENTS ▸ Admin (x1) - Manages jobs ▸ Agents (x50) - Analyzes URLs ▸ DB Writers (x4) - Feeds analysis data into the DB & S3 ▸ Database (x1) - PostgreSQL 9.5 DB ▸ NSQ - A message queue for URLs, reports and responses ▸ S3 - Stores serialized DOM and HTML/JS
VERACODE AROUND THE WEB IN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION THE MESSAGE QUEUE -NSQD, NSQLOOKUPD ▸ NSQ is an easy to deploy message queue ▸ JSON messages between all systems ▸ All agents point to Admin service running NSQLookupd
VERACODE AROUND THE WEB IN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION HELPFUL NSQ FEATURES // Create consumer c.urlConsumer, err = nsq.NewConsumer(job.Topics["url"], creeper_types.UrlChannel, cfg) // Process numBrowser of messages concurrently (7) c.urlConsumer.AddConcurrentHandlers( nsq.HandlerFunc(c.processUrls), numBrowsers) 
 // Job taking too long to handle/process a message? msg.Touch() // notify we are still working on this message // Need to requeue because chrome crashed? msg.RequeueWithoutBackoff(-1) // Need to change max # of inflight messages? c.urlConsumer.ChangeMaxInFlight(c.getInflightCount()) 1 2 3 4
VERACODE DATA STORAGE AROUND THE WEB IN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION DATAFLOW DB AGENT ADMIN WRITER WRITER WRITER S3 AGENT AGENT
CREEPER AGENTS GETTING THE DATA WITH:
VERACODE CREEPER AGENTS: GETTING THE DATA
VERACODE CREEPER AGENTS: GETTING THE DATA BROWSER AUTOMATION REQUIREMENTS ▸ Automatable ▸ Fast ▸ Capture network ▸ Capture various browser events (CSP violations) ▸ Inject JavaScript
VERACODE CREEPER AGENTS: GETTING THE DATA CHOSE CHROME, FOR OBVIOUS REASONS… ▸ Each agent runs 3-6 tabs concurrently ▸ Headless, uses Xvfb ▸ Can get full read access to network response data ▸ Easily inject javascript ▸ Can subscribe to console messages
VERACODE CREEPER AGENTS: GETTING THE DATA AGENT DESIGN CREEPER AGENT BROWSER MANAGER ANALYZER REPORTER APP LOGIC
CONTROLLING THE BROWSER
VERACODE CREEPER AGENTS: GETTING THE DATA GOOGLE CHROME REMOTE DEBUGGER ▸ Huge definition files: browser_protocol.json and js_protocol.json { "version": { "major": "1", "minor": "1" }, "domains": [{ "domain": "Inspector", "hidden": true, "types": [], "commands": [{ "name": "enable", "description": "Enables inspector domain...”, "handlers": ["browser", "renderer"] }], "events": [{ "name": "evaluateForTestInFrontend", "parameters": [ … ] }], } }
VERACODE CREEPER AGENTS: GETTING THE DATA GCD ▸ GCD generates Go code using templates ▸ Remote access to debugger events, functions, types. ▸ Can be updated easily as the protocol files change
VERACODE CREEPER AGENTS: GETTING THE DATA GCD WAS GOOD BUT… ▸ Needed something better ▸ Built autogcd to automate: ▸ Trapping console messages ▸ Intercepting network data ▸ Injecting JS ▸ Took some inspiration from WebDriver
VERACODE CREEPER AGENTS: GETTING THE DATA GETTING CSP EVENTS func (b *Browser) StartIntercepting() error { b.tab.GetConsoleMessages(b.cspHandler()) return nil } func (b *Browser) cspHandler() autogcd.ConsoleMessageFunc { return func(tab *autogcd.Tab, message *gcdapi.ConsoleConsoleMessage) { if message.Source != "security" { return } parseCsp(b.creeperData.CspResults, b.creeperData.ReportOnlyCspResults, message.Text) } } 1 2
VERACODE CREEPER AGENTS: GETTING THE DATA TRAPPING NETWORK RESPONSES func (b *Browser) StartIntercepting() error { b.tab.GetNetworkTraffic(nil, b.responseHandler(), b.respFinishedHandler()) } func (b *Browser) responseHandler() autogcd.NetworkResponseHandlerFunc { return func(tab *autogcd.Tab, response *autogcd.NetworkResponse) { creeperResponse.Url = response.Response.Url b.networkContainer.WaitFor(response.RequestId) creeperResponse.ResponseBody, _ = b.encodeBody(response.RequestId, creeperResponse.MimeType, creeperResponse.Url) b.networkContainer.AddReady(creeperResponse) } } // mark the body as ready func (b *Browser) respFinishedHandler() autogcd.NetworkFinishedHandlerFunc { return func(tab *autogcd.Tab, requestId string, dataLength, timeStamp float64) { b.networkContainer.BodyReady(requestId) } } 1 2 3 4
VERACODE CREEPER AGENTS: GETTING THE DATA INJECTING JAVASCRIPT ▸ Extract JS libraries and versions ▸ Retire.js and Wappalyzer have some good pointers ▸ Created a JSON file with 86 frameworks ▸ Must wait for the page to be fully loaded
VERACODE CREEPER AGENTS: GETTING THE DATA INJECTING JAVASCRIPT - THE QUERIES { "libraries": [ { "url": "http://jquery.com/", "key": "jquery", "statement": "jQuery.fn.jquery" }, { "url": "https://jquerymobile.com/", "key": "jquery-mobile", "statement": "jQuery.mobile.version" }, { "url": "http://www.embeddedjs.com/", "key": "embeddedjs 1.0", "statement": "(typeof EJS === "function" && typeof EJS.Buffer === "function") ? "ejs 1.0":""" }, { "url": "http://www.embeddedjs.com/", "key": "embeddedjs 0.x", "statement": "(typeof EJS === "function" && typeof EjsScanner === "function") ? "ejs 0.x":""" } ] }
VERACODE CREEPER AGENTS: GETTING THE DATA INJECTING JAVASCRIPT - INJECTING for _, library := range JsLibs.Libraries { res, err := b.ExecuteScript(library.Statement) if err == nil && string(res) != "" { log.Printf("%s library result was: %sn", library.Key, string(res)) report.JavaScriptLibraries[library.Key] = string(res) } }
VERACODE CREEPER AGENTS: GETTING THE DATA INJECTING JAVASCRIPT - WHEN IS A PAGE DONE? ▸ DOMContentLoaded doesn’t handle dynamically loaded JS ▸ Listen for DOM change events ▸ Page loaded if no DOM change events occur for > 2 seconds ▸ Timeout after 5 seconds
CHALLENGES
VERACODE CREEPER AGENTS: GETTING THE DATA CHALLENGES - CONTAMINATION + + + + | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + + + + Start Capture Load URL Document Loaded Stop Capture
VERACODE CREEPER AGENTS: GETTING THE DATA CHALLENGES - CONTAMINATION - SOLUTION + + + + + + + | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + + + + + + + Borrow Browser Start Capture Load URL Document Loaded Stop Capture Kill Browser Start/Add Pool
VERACODE CREEPER AGENTS: GETTING THE DATA CHALLENGES - CHROME BUG #1 ▸ Turns out opening tabs excessively can cause tabs to not respond to debugger protocol
VERACODE CREEPER AGENTS: GETTING THE DATA CHALLENGES - CHROME BUG #1 - SOLUTION ▸ Mark tabs as ‘dead’ ▸ If max dead tab count is reached, drain active URLs and kill chrome
CRASHSAFARI.COM
VERACODE CREEPER AGENTS: GETTING THE DATA CHALLENGES - CHROME BUG #2 - CHRASHSAFARI.COM ▸ Would completely kill chrome *and* agent ▸ Lost all active tabs ▸ This site cost me about 2-3 weeks development time
VERACODE ▸ Created killface package ▸ Sends a notification to stop active work ▸ Worker count dynamically adjusted to 1 ▸ Pauses queue, runs all unfinished URLs again ▸ Once active count is 0, restart normally CREEPER AGENTS: GETTING THE DATA CHALLENGES - CRASHSAFARI.COM - SOLUTION
VERACODE CREEPER AGENTS: GETTING THE DATA OTHER CHALLENGES ✘ NSQ messages too large, zipping ineffective ✓Split response data/report data ✘ Sites block AWS IP ranges, (craigslist.com etc) ☹ Timeout… ✘ Concurrency issues ✓ Very careful use of go routines, channels and timers. ✘ Site analysis failures/timeouts ✓ Try 3 times, keep track of retry state. ✓ During retry, open a new browser and work on additional url
DB WRITERS & S3 STORING THE DATA WITH:
VERACODE DB WRITERS: STORING THE DATA PREVIOUSLY… ▸ Creeper v0 had many problems ▸ RDS did not support PostgreSQL 9.5 ▸ Duplicate data ▸ For v1, wrote to disk, SHA1 of contents: ▸ /job/files/5/a/b/c/5abcfbe73e39e0572a939b09f1eb16d7.html ▸ v1 did not shard database tables ▸ Database tables were normalized ▸ Lock contention
VERACODE DB WRITERS: STORING THE DATA DATABASE REFRESHER - NORMALIZING url header_name header_value http://veracode.com x-xss-protection 1; mode=block http://codeblue.jp x-xss-protection 1; mode=block http://google.jp x-xss-protection 1; mode=block report-uri … url header_name_id header_value_id http://veracode.com 0 0 http://codeblue.jp 0 0 http://google.jp 0 1 header_name_id header_name 0 x-xss-protection header_value_id header_value 0 1; mode=block 1 1; mode=block report-uri … NORMALIZED: FLATTENED:
VERACODE DB WRITERS: STORING THE DATA CHALLENGES - GETTING THE DATA IN QUICKLY ▸ Get the data out of the DB writers as soon as possible ▸ Careful to not overload the database with many connections ▸ Reduce lock contention for writing
VERACODE DB WRITERS: STORING THE DATA SOLUTION #1 - GETTING THE DATA IN QUICKLY ▸ DB Writers batch up reports and responses ▸ Inserted every 2.5-3.5 seconds ▸ Reduces number of required DB connections
VERACODE DB WRITERS: STORING THE DATA SOLUTION #1 BATCHER func (b *Batcher) AddReport(r *creeper_types.CreeperReport) { select { case b.reportPool <- r: atomic.AddInt32(&b.reportCount, 1) } } func (b *Batcher) EmptyReports() []*creeper_types.CreeperReport { reports := make([]*creeper_types.CreeperReport, 0) for { select { case report := <-b.reportPool: reports = append(reports, report) default: return reports } } return nil }
VERACODE DB WRITERS: STORING THE DATA SOLUTION #2 - GETTING THE DATA IN QUICKLY ▸ Insert into temporary table using COPY FROM ▸ Extracted from temporary table and INSERTed into final table. This allows for UPSERTS: INSERT INTO header_names (header_name) SELECT responses_tmp.header_name FROM responses_tmp ON CONFLICT DO NOTHING;
VERACODE DB WRITERS: STORING THE DATA CHALLENGES - LARGE TABLES ▸ INSERT INTO … FROM SELECT … on a table with 80,000,000 rows ▸ As tables got bigger, db writers slowed down ▸ This is not scalable
VERACODE DB WRITERS: STORING THE DATA SOLUTION - TABLE SHARDING ▸ Much like sharding for the file system ▸ Requires a key: ▸ URL ID. (Ex: 1,google.com 2,microsoft.com etc) ▸ Only large tables require sharding
VERACODE shardKey % inputId shardKey = 1 shardKey = 2 shardKey = 3 DB DB WRITERS: STORING THE DATA TABLE SHARDING WRITER
VERACODE DB WRITERS: STORING THE DATA CREATING A SHARD KEY ▸ Choose the number of times to shard your tables: ▸ shardKey = input_id % 32 ▸ Created PLpgSQL functions: ▸ create unlogged table if not exists job_0_responses ( response_id serial primary key, input_id integer not null, body_hash varchar(64) not null, resp_url bytea not null, resp_uuid varchar(64) unique not null, resp_type_id integer references resp_types (resp_type_id) not null, status_id integer references status_lines (status_id) not null, status_code integer, mime_type_id integer references mime_types (mime_type_id) not null, response_time bigint ); EXECUTE merge_headers(job, shardKey)
VERACODE DB WRITERS: STORING THE DATA CONS WITH SHARDING ▸ Added complexity for querying ▸ Best to create a new table with all data for reporting ▸ In the future, may use Citus for sharding across multiple databases
VERACODE DB WRITERS: STORING THE DATA RESPONSE DATA (JS/HTML)
VERACODE ▸ S3 limits 100/rps, but pushing 200-2000/rps ▸ Had to contact support ▸ Exponential Backoff, retry 10 times ▸ Hash is stored in response table ▸ HeadObject first to check existence, then PutObject ▸ HeadObjects are way cheaper DB WRITERS: STORING THE DATA MOVING TO S3
VERACODE DB WRITERS: STORING THE DATA LASTLY… ▸ Created unlogged tables ▸ Modified PostgreSQL configuration: ▸ Set checkpoints 5 minutes (max) instead of 1 ▸ Enabled fsync ▸ Set max_wal_size 256
THE RESULTS A LOOK AT THE DATA
VERACODE THE RESULTS: A LOOK AT DATA SCAN STATISTICS Responses 72,193,155 Headers 525,385,900 JS Results 1,943,925 URLs w/Errors 67,315 Redirected to HTTPS 145,268 URLS w/CSP Violations 740 Scan Time 15 Hours Cost 343$ / 35063円
VERACODE THE RESULTS: A LOOK AT DATA CSP VIOLATIONS ▸ 722 out of 4965 sites using CSP had violations ▸ Security sites: ▸ https://www.globalsign.com/en/, http://secunia.com/, ▸ https://lastpass.com/, https://www.avant.com/, http:// www.veracode.com/ ▸ Well known organizations: ▸ http://www.alibaba.com, https://www.doubleclickbygoogle.com ▸ https://mozillians.org/en-US/
VERACODE THE RESULTS: A LOOK AT DATA SUM OF CSP VIOLATION TYPES 0 750 1500 2250 3000 SCRIPTSRC IMGSRC FRAMESRC FONTSRC STYLESRC CONNECTSRC MEDIASRC CHILDSRC OBJECTSRC BASEURI FORMACTIONMANIFESTSRC
VERACODE THE RESULTS: A LOOK AT DATA TOP JAVASCRIPT LIBRARIES > 3000 0 200000 400000 600000 800000 JQUERY JQUERY-UI MODERNIZR JQUERY-UI-DIALOG YEPNOPE JQUERY-UI-AUTOCOMPLETE JQUERY-UI-TOOLTIP BOOTSTRAP HTML5SHIV UNDERSCORE JQUERY.PRETTYPHOTO PROTOTYPEJS DRUPAL MOOTOOLS MEJS BACKBONE.JS ANGULARJS FOUNDATION JWPLAYER REQUIREJS HANDLEBARS.JS HAMMERJS JPLAYER MUSTACHE.JS SCRIPTACULOUS SHADOWBOX ZEROCLIPBOARD YUI RAPHAEL DATATABLES KNOCKOUT
VERACODE THE RESULTS: A LOOK AT DATA JAVASCRIPT ‘NEXTGEN’ FRAMEWORKS > 100 0 4500 9000 13500 18000 BACKBONE.JS ANGULARJS FOUNDATION YUI KNOCKOUT DOJO REACTJS MARIONETTEJS VUEJS EMBER METEOR MITHRIL EXTJS POLYMER
VERACODE THE RESULTS: A LOOK AT DATA VULNERABILITY COUNTS 0 20000 40000 60000 80000 JQUERY JQUERY-UI-DIALOG JQUERY.PRETTYPHOTO ANGULARJS JQUERY-UI-TOOLTIP JPLAYER HANDLEBARS.JS ZEROCLIPBOARD MUSTACHE.JS YUI PROTOTYPEJS MEJS JWPLAYER DOJO EMBER TINYMCE PLUPLOAD JQUERY-MOBILE CKEDITOR
VERACODE THE RESULTS: A LOOK AT DATA LONGEST SECURITY HEADER AWARD - HTTPS://WWW.INSIGHTGUIDES.COM/ Content-Security-Policy: default-src 'self' http://tagmanager.google.com https://tagmanager.google.com https://*.doubleclick.net http://*.doubleclick.net https://*.google- analytics.com http://*.google-analytics.com https://*.livechatinc.com http://*.livechatinc.com https://*.cloudfront.net http://*.cloudfront.net https://*.googleusercontent.com http:// *.googleusercontent.com https://www.bugherd.com http://www.bugherd.com https://*.braintreegateway.com http://*.braintreegateway.com https://www.biblioimages.com http:// www.biblioimages.com https://fonts.gstatic.com http://fonts.gstatic.com https://*.googleapis.com http://*.googleapis.com https://tripadvisor.com http://tripadvisor.com https:// *.gstatic.com http://*.gstatic.com https://www.tripadvisor.com http://www.tripadvisor.com https://www.insightguides.com http://www.insightguides.com https://rum- static.pingdom.net http://rum-static.pingdom.net https://rum-collector.pingdom.net http://rum-collector.pingdom.net https://*.youtube.com http://*.youtube.com https:// www.googleadservices.com http://www.googleadservices.com https://connect.facebook.net http://connect.facebook.net https://googleads.g.doubleclick.net http:// googleads.g.doubleclick.net https://www.facebook.com http://www.facebook.com https://cdn.inspectlet.com http://cdn.inspectlet.com https://hn.inspectlet.com http:// hn.inspectlet.com https://*.apa.yoda.site http://*.apa.yoda.site https://www.preprod.apa.yoda.site http://www.preprod.apa.yoda.site https://www.test.apa.yoda.site http:// www.test.apa.yoda.site https://www.google.com http://www.google.com https://www.google.pl http://www.google.pl https://www.google.co.uk http://www.google.co.uk https:// google.com http://google.com https://google.pl http://google.pl https://google.co.uk http://google.co.uk https://ethn.io http://ethn.io https://stats.g.doubleclick.net http:// stats.g.doubleclick.net https://platform.instagram.com http://platform.instagram.com https://instagram.com http://instagram.com https://www.instagram.com http:// www.instagram.com https://*.amazonaws.com http://*.amazonaws.com blob:; script-src 'self' http://www.googletagmanager.com https://www.googletagmanager.com http:// tagmanager.google.com https://tagmanager.google.com https://*.doubleclick.net http://*.doubleclick.net https://*.google-analytics.com http://*.google-analytics.com https:// *.livechatinc.com http://*.livechatinc.com https://*.cloudfront.net http://*.cloudfront.net https://*.googleusercontent.com http://*.googleusercontent.com https://www.bugherd.com http://www.bugherd.com https://*.braintreegateway.com http://*.braintreegateway.com https://www.biblioimages.com http://www.biblioimages.com https://fonts.gstatic.com http:// fonts.gstatic.com https://*.googleapis.com http://*.googleapis.com https://tripadvisor.com http://tripadvisor.com https://*.gstatic.com http://*.gstatic.com https://www.tripadvisor.com http://www.tripadvisor.com https://www.insightguides.com http://www.insightguides.com https://rum-static.pingdom.net http://rum-static.pingdom.net https://rum- collector.pingdom.net http://rum-collector.pingdom.net https://*.youtube.com http://*.youtube.com https://www.googleadservices.com http://www.googleadservices.com https:// connect.facebook.net http://connect.facebook.net https://googleads.g.doubleclick.net http://googleads.g.doubleclick.net https://www.facebook.com http://www.facebook.com https://cdn.inspectlet.com http://cdn.inspectlet.com https://hn.inspectlet.com http://hn.inspectlet.com https://*.apa.yoda.site http://*.apa.yoda.site https://www.preprod.apa.yoda.site http://www.preprod.apa.yoda.site https://www.test.apa.yoda.site http://www.test.apa.yoda.site https://www.google.com http://www.google.com https://www.google.pl http:// www.google.pl https://www.google.co.uk http://www.google.co.uk https://google.com http://google.com https://google.pl http://google.pl https://google.co.uk http://google.co.uk https://ethn.io http://ethn.io https://stats.g.doubleclick.net http://stats.g.doubleclick.net https://platform.instagram.com http://platform.instagram.com https://instagram.com http:// instagram.com https://www.instagram.com http://www.instagram.com https://*.amazonaws.com http://*.amazonaws.com 'unsafe-eval' 'unsafe-inline' https://apis.google.com blob:; connect-src * 'self' http://tagmanager.google.com https://tagmanager.google.com https://*.doubleclick.net http://*.doubleclick.net https://*.google-analytics.com http://*.google- analytics.com https://*.livechatinc.com http://*.livechatinc.com https://*.cloudfront.net http://*.cloudfront.net https://*.googleusercontent.com http://*.googleusercontent.com https:// www.bugherd.com http://www.bugherd.com https://*.braintreegateway.com http://*.braintreegateway.com https://www.biblioimages.com http://www.biblioimages.com https:// fonts.gstatic.com http://fonts.gstatic.com https://*.googleapis.com http://*.googleapis.com https://tripadvisor.com http://tripadvisor.com https://*.gstatic.com http://*.gstatic.com https://www.tripadvisor.com http://www.tripadvisor.com https://www.insightguides.com http://www.insightguides.com https://rum-static.pingdom.net http://rum-static.pingdom.net https://rum-collector.pingdom.net http://rum-collector.pingdom.net https://*.youtube.com http://*.youtube.com https://www.googleadservices.com http://www.googleadservices.com https://connect.facebook.net http://connect.facebook.net https://googleads.g.doubleclick.net http://googleads.g.doubleclick.net https://www.facebook.com http:// www.facebook.com https://cdn.inspectlet.com http://cdn.inspectlet.com https://hn.inspectlet.com http://hn.inspectlet.com https://*.apa.yoda.site http://*.apa.yoda.site https:// www.preprod.apa.yoda.site http://www.preprod.apa.yoda.site https://www.test.apa.yoda.site http://www.test.apa.yoda.site https://www.google.com http://www.google.com https:// www.google.pl http://www.google.pl https://www.google.co.uk http://www.google.co.uk https://google.com http://google.com https://google.pl http://google.pl https:// google.co.uk http://google.co.uk https://ethn.io http://ethn.io https://stats.g.doubleclick.net http://stats.g.doubleclick.net https://platform.instagram.com http:// platform.instagram.com https://instagram.com http://instagram.com https://www.instagram.com http://www.instagram.com https://*.amazonaws.com http://*.amazonaws.com blob:;
VERACODE THE RESULTS: A LOOK AT DATA SOME OF MY FAVORITE HTTP STATUS LINES ▸ HTTP 500 access denied ("java.io.FilePermission" "D: homeXXXXXXXXX.comoriModelGlueunity eventrequestEventRequest.cfc" "read") ▸ HTTP 500 "Duplicate entry '1473335051' for key 'timestamp' SQL=INSERT INTO `#__zt_visitor_counter` (`id`,`timestamp`,`visits`,`guests`,`ipaddress`,`useragent`) VALUES (null, '1473335051', 1 , 1 , '54.208.81.16', ‘chrome')" ▸ HTTP 500 "Server Made Big Boo"
“NO HACKING” ABSOLUTE FAVORITE STATUS LINE
VERACODE THE RESULTS: A LOOK AT DATA CONCLUSION ▸ Use NSQ, seriously. ▸ Concurrency can be difficult ▸ Batch data before inserting to DB ▸ If DB rows > a few million, consider sharding ▸ Test different types of table schema for performance ▸ Treat browsers like garbage and handle appropriately
VERACODE THE RESULTS: A LOOK AT DATA QUESTIONS? ▸ twitter: @_wirepair ▸ github: wirepair ▸ gcd: https://github.com/wirepair/gcd ▸ autogcd: https://github.com/wirepair/autogcd ▸ killface: https://github.com/wirepair/killface ▸ Thanks to all my coworkers supporting and listening to my daily rants!

More Related Content

PDF
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
PPTX
Top Ten Web Hacking Techniques of 2012
byJeremiah Grossman
 
PPTX
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
byCODE BLUE
 
PDF
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
byWayne Huang
 
PPTX
Client-side JavaScript Vulnerabilities
byOry Segal
 
PDF
Top Ten Web Hacking Techniques (2010)
byJeremiah Grossman
 
PDF
Integrity protection for third-party JavaScript
byFrancois Marier
 
PDF
URL to HTML
byFrancois Marier
 
Frans Rosén Keynote at BSides Ahmedabad
bySecurity BSides Ahmedabad
 
Top Ten Web Hacking Techniques of 2012
byJeremiah Grossman
 
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
byCODE BLUE
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
byWayne Huang
 
Client-side JavaScript Vulnerabilities
byOry Segal
 
Top Ten Web Hacking Techniques (2010)
byJeremiah Grossman
 
Integrity protection for third-party JavaScript
byFrancois Marier
 
URL to HTML
byFrancois Marier
 

What's hot

PPTX
Cross Site Scripting (XSS) Defense with Java
byJim Manico
 
PDF
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
PDF
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
PPTX
Javascript Security
byjgrahamc
 
PDF
Attacking AWS: the full cyber kill chain
bySecuRing
 
PDF
DrupalCamp London 2017 - Web site insecurity
byGeorge Boobyer
 
PDF
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
PDF
Abusing & Securing XPC in macOS apps
bySecuRing
 
DOCX
Web-servers & Application Hacking
byRaghav Bisht
 
PDF
JavaScript Security
byJason Harwig
 
PDF
Two scoops of Django - Security Best Practices
bySpin Lai
 
PDF
End to end web security
byGeorge Boobyer
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
PDF
Top Ten Web Hacking Techniques (2008)
byJeremiah Grossman
 
PPTX
W3 conf hill-html5-security-realities
byBrad Hill
 
PDF
Rails security: above and beyond the defaults
byMatias Korhonen
 
PDF
Integrity protection for third-party JavaScript
byFrancois Marier
 
PPTX
Make profit with UI-Redressing attacks.
byn|u - The Open Security Community
 
PPTX
MITM Attacks on HTTPS: Another Perspective
byGreenD0g
 
PDF
Sandboxed platform using IFrames, postMessage and localStorage
bytomasperezv
 
Cross Site Scripting (XSS) Defense with Java
byJim Manico
 
Ekoparty 2017 - The Bug Hunter's Methodology
bybugcrowd
 
Neat tricks to bypass CSRF-protection
byMikhail Egorov
 
Javascript Security
byjgrahamc
 
Attacking AWS: the full cyber kill chain
bySecuRing
 
DrupalCamp London 2017 - Web site insecurity
byGeorge Boobyer
 
Hunting for security bugs in AEM webapps
byMikhail Egorov
 
Abusing & Securing XPC in macOS apps
bySecuRing
 
Web-servers & Application Hacking
byRaghav Bisht
 
JavaScript Security
byJason Harwig
 
Two scoops of Django - Security Best Practices
bySpin Lai
 
End to end web security
byGeorge Boobyer
 
Case Study of Django: Web Frameworks that are Secure by Default
byMohammed ALDOUB
 
Top Ten Web Hacking Techniques (2008)
byJeremiah Grossman
 
W3 conf hill-html5-security-realities
byBrad Hill
 
Rails security: above and beyond the defaults
byMatias Korhonen
 
Integrity protection for third-party JavaScript
byFrancois Marier
 
Make profit with UI-Redressing attacks.
byn|u - The Open Security Community
 
MITM Attacks on HTTPS: Another Perspective
byGreenD0g
 
Sandboxed platform using IFrames, postMessage and localStorage
bytomasperezv
 

Viewers also liked

PPTX
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
byCODE BLUE
 
PPTX
[CB16] 難解なウェブアプリケーションの脆弱性 by Andrés Riancho
byCODE BLUE
 
PPTX
[CB16] スマートフォン制御のIoTデバイスにおけるBLE認証設計の課題:Gogoroスマートスクターの分析を通じて by Chen-yu Dai [...
byCODE BLUE
 
PPTX
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
byCODE BLUE
 
PPTX
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
byCODE BLUE
 
PPTX
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
byCODE BLUE
 
PDF
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
byCODE BLUE
 
PPT
[CB16] Who put the backdoor in my modem? by Ewerson Guimaraes
byCODE BLUE
 
PPTX
[CB16] WireGuard: Next Generation Abuse-Resistant Kernel Network Tunnel by Ja...
byCODE BLUE
 
PDF
CODE BLUE 2014 : バグハンターの愉しみ by キヌガワマサト Masato Kinugawa
byCODE BLUE
 
PPTX
[CB16] IoTとしての自動車とセキュリティ: リモートサービスのセキュリティ評価とその対策の検討 - by 和栗直英
byCODE BLUE
 
PPTX
XSSフィルターを利用したXSS攻撃 by Masato Kinugawa
byCODE BLUE
 
PPTX
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
byCODE BLUE
 
PPTX
[CB16] バイナリロックスターになる:Binary Ninjaによるプログラム解析入門 by Sophia D’Antoine
byCODE BLUE
 
PPTX
[CB16] 基調講演: セキュリティはどれくらいが適量? – How much security is too much? – by Karsten Nohl
byCODE BLUE
 
PDF
[CB16] Keynote: How much security is too much? by Karsten Nohl
byCODE BLUE
 
PPTX
Code blue
bywcmc
 
PPTX
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
byCODE BLUE
 
PPTX
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
byCODE BLUE
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
byCODE BLUE
 
[CB16] 難解なウェブアプリケーションの脆弱性 by Andrés Riancho
byCODE BLUE
 
[CB16] スマートフォン制御のIoTデバイスにおけるBLE認証設計の課題:Gogoroスマートスクターの分析を通じて by Chen-yu Dai [...
byCODE BLUE
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
byCODE BLUE
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
byCODE BLUE
 
[CB16] Security in the IoT World: Analyzing the Security of Mobile Apps for A...
byCODE BLUE
 
[CB16] House of Einherjar :GLIBC上の新たなヒープ活用テクニック by 松隈大樹
byCODE BLUE
 
[CB16] Who put the backdoor in my modem? by Ewerson Guimaraes
byCODE BLUE
 
[CB16] WireGuard: Next Generation Abuse-Resistant Kernel Network Tunnel by Ja...
byCODE BLUE
 
CODE BLUE 2014 : バグハンターの愉しみ by キヌガワマサト Masato Kinugawa
byCODE BLUE
 
[CB16] IoTとしての自動車とセキュリティ: リモートサービスのセキュリティ評価とその対策の検討 - by 和栗直英
byCODE BLUE
 
XSSフィルターを利用したXSS攻撃 by Masato Kinugawa
byCODE BLUE
 
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...
byCODE BLUE
 
[CB16] バイナリロックスターになる:Binary Ninjaによるプログラム解析入門 by Sophia D’Antoine
byCODE BLUE
 
[CB16] 基調講演: セキュリティはどれくらいが適量? – How much security is too much? – by Karsten Nohl
byCODE BLUE
 
[CB16] Keynote: How much security is too much? by Karsten Nohl
byCODE BLUE
 
Code blue
bywcmc
 
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...
byCODE BLUE
 
[CB16] Background Story of "Operation neutralizing banking malware" and highl...
byCODE BLUE
 

Similar to [CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson

PPTX
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
PDF
Design and Implementation of a High- Performance Distributed Web Crawler
byGeorge Ang
 
KEY
Picking gem ruby for penetration testers
byPaolo Perego
 
PDF
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
PPTX
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
byAdam Doupe
 
PDF
BlueHat v17 || Disrupting the Mirai Botnet
byBlueHat Security Conference
 
PPTX
A density based clustering approach for web robot detection
byWright State University, Dayton, OH, USA
 
PDF
project report on IoT
byAnshul Sahu
 
PDF
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
PDF
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
bySecurity Bootcamp
 
PDF
Crawlware
bykidrane
 
PPTX
Introduction of vertical crawler
byJinglun Li
 
PPTX
The Internet as a Single Database
byDatafiniti
 
PDF
Amish Umesh - Future Of Web App Testing - ClubHack2007
byClubHack
 
PDF
Www usenix-org
byOuzza Brahim
 
PDF
Magic of Ruby
byGabriele Lana
 
PDF
HTML5 Security
byVille Säävuori
 
PDF
[Russia] Bugs -> max, time &lt;= T
byOWASP EEE
 
PPTX
Find maximum bugs in limited time
bybeched
 
PDF
JavaScript APIs - The Web is the Platform - MDN Hack Day - Buenos Aires
byRobert Nyman
 
Bug Bounty for - Beginners
byHimanshu Kumar Das
 
Design and Implementation of a High- Performance Distributed Web Crawler
byGeorge Ang
 
Picking gem ruby for penetration testers
byPaolo Perego
 
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
Why Johnny Can't Pentest: An Analysis of Black-box Web Vulnerability Scanners
byAdam Doupe
 
BlueHat v17 || Disrupting the Mirai Botnet
byBlueHat Security Conference
 
A density based clustering approach for web robot detection
byWright State University, Dayton, OH, USA
 
project report on IoT
byAnshul Sahu
 
Defcon 20-zulla-improving-web-vulnerability-scanning
byzulla
 
Nguyen Huu Trung - Building a web vulnerability scanner - From a hacker’s view
bySecurity Bootcamp
 
Crawlware
bykidrane
 
Introduction of vertical crawler
byJinglun Li
 
The Internet as a Single Database
byDatafiniti
 
Amish Umesh - Future Of Web App Testing - ClubHack2007
byClubHack
 
Www usenix-org
byOuzza Brahim
 
Magic of Ruby
byGabriele Lana
 
HTML5 Security
byVille Säävuori
 
[Russia] Bugs -> max, time &lt;= T
byOWASP EEE
 
Find maximum bugs in limited time
bybeched
 
JavaScript APIs - The Web is the Platform - MDN Hack Day - Buenos Aires
byRobert Nyman
 

More from CODE BLUE

PDF
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
byCODE BLUE
 
PDF
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
byCODE BLUE
 
PDF
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
byCODE BLUE
 
PDF
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
byCODE BLUE
 
PDF
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
byCODE BLUE
 
PDF
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
byCODE BLUE
 
PPTX
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
byCODE BLUE
 
PDF
[cb22] Tales of 5G hacking by Karsten Nohl
byCODE BLUE
 
PDF
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
byCODE BLUE
 
PPTX
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
byCODE BLUE
 
PDF
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
byCODE BLUE
 
PDF
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
byCODE BLUE
 
PDF
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
byCODE BLUE
 
PDF
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
PDF
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
PDF
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
byCODE BLUE
 
PDF
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
byCODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
byCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
byCODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
byCODE BLUE
 
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
byCODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
byCODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
byCODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
byCODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
byCODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
byCODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
byCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
byCODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
byCODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
byCODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
byCODE BLUE
 

Recently uploaded

PDF
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PDF
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...
byWintari Yasmin
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
Parallel Computing BCS702 Module notes of the vtu college 7th sem 4.pdf
byMatheshVishnu
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...
byWintari Yasmin
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
Cybersecurity Prevention and Detection: Unit 2
byVICTOR MAESTRE RAMIREZ
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 

[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson

  • 1.
    ISAAC DAWSON, AROUND THEWEB IN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION VERACODE 15
  • 2.
    VERACODE AROUND THE WEBIN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION ABOUT ME: ▸ Previously at @stake, Symantec (10 years) ▸ Moved into research role at Veracode, Inc. (6 years) ▸ Living in Japan for 12 years ▸ I <3
  • 3.
    VERACODE AROUND THE WEBIN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION IT ALL STARTED IN 2012…
  • 4.
    VERACODE AROUND THE WEBIN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION SECURITY HEADER SCANNING HISTORY ▸ All scanners use the Alexa Top 1 Million URLs ▸ Galexa (November 2012 - March 2014) ▸ Golexa (March 2014 - February 2016) ▸ Creeper v0-v1 (February 2016 - July 2016) ▸ Creeper v2 (July 2016 - …)
  • 5.
  • 6.
    VERACODE AROUND THE WEBIN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION SUMMARY OF SYSTEMS & COMPONENTS ▸ Admin (x1) - Manages jobs ▸ Agents (x50) - Analyzes URLs ▸ DB Writers (x4) - Feeds analysis data into the DB & S3 ▸ Database (x1) - PostgreSQL 9.5 DB ▸ NSQ - A message queue for URLs, reports and responses ▸ S3 - Stores serialized DOM and HTML/JS
  • 7.
    VERACODE AROUND THE WEBIN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION THE MESSAGE QUEUE -NSQD, NSQLOOKUPD ▸ NSQ is an easy to deploy message queue ▸ JSON messages between all systems ▸ All agents point to Admin service running NSQLookupd
  • 8.
    VERACODE AROUND THE WEBIN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION HELPFUL NSQ FEATURES // Create consumer c.urlConsumer, err = nsq.NewConsumer(job.Topics["url"], creeper_types.UrlChannel, cfg) // Process numBrowser of messages concurrently (7) c.urlConsumer.AddConcurrentHandlers( nsq.HandlerFunc(c.processUrls), numBrowsers) 
 // Job taking too long to handle/process a message? msg.Touch() // notify we are still working on this message // Need to requeue because chrome crashed? msg.RequeueWithoutBackoff(-1) // Need to change max # of inflight messages? c.urlConsumer.ChangeMaxInFlight(c.getInflightCount()) 1 2 3 4
  • 9.
    VERACODE DATA STORAGE AROUND THEWEB IN 80 HOURS: SCALABLE FINGERPRINTING WITH CHROMIUM AUTOMATION DATAFLOW DB AGENT ADMIN WRITER WRITER WRITER S3 AGENT AGENT
  • 10.
  • 11.
  • 12.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA BROWSER AUTOMATION REQUIREMENTS ▸ Automatable ▸ Fast ▸ Capture network ▸ Capture various browser events (CSP violations) ▸ Inject JavaScript
  • 13.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA CHOSE CHROME, FOR OBVIOUS REASONS… ▸ Each agent runs 3-6 tabs concurrently ▸ Headless, uses Xvfb ▸ Can get full read access to network response data ▸ Easily inject javascript ▸ Can subscribe to console messages
  • 14.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA AGENT DESIGN CREEPER AGENT BROWSER MANAGER ANALYZER REPORTER APP LOGIC
  • 15.
  • 16.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA GOOGLE CHROME REMOTE DEBUGGER ▸ Huge definition files: browser_protocol.json and js_protocol.json { "version": { "major": "1", "minor": "1" }, "domains": [{ "domain": "Inspector", "hidden": true, "types": [], "commands": [{ "name": "enable", "description": "Enables inspector domain...”, "handlers": ["browser", "renderer"] }], "events": [{ "name": "evaluateForTestInFrontend", "parameters": [ … ] }], } }
  • 17.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA GCD ▸ GCD generates Go code using templates ▸ Remote access to debugger events, functions, types. ▸ Can be updated easily as the protocol files change
  • 18.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA GCD WAS GOOD BUT… ▸ Needed something better ▸ Built autogcd to automate: ▸ Trapping console messages ▸ Intercepting network data ▸ Injecting JS ▸ Took some inspiration from WebDriver
  • 19.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA GETTING CSP EVENTS func (b *Browser) StartIntercepting() error { b.tab.GetConsoleMessages(b.cspHandler()) return nil } func (b *Browser) cspHandler() autogcd.ConsoleMessageFunc { return func(tab *autogcd.Tab, message *gcdapi.ConsoleConsoleMessage) { if message.Source != "security" { return } parseCsp(b.creeperData.CspResults, b.creeperData.ReportOnlyCspResults, message.Text) } } 1 2
  • 20.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA TRAPPING NETWORK RESPONSES func (b *Browser) StartIntercepting() error { b.tab.GetNetworkTraffic(nil, b.responseHandler(), b.respFinishedHandler()) } func (b *Browser) responseHandler() autogcd.NetworkResponseHandlerFunc { return func(tab *autogcd.Tab, response *autogcd.NetworkResponse) { creeperResponse.Url = response.Response.Url b.networkContainer.WaitFor(response.RequestId) creeperResponse.ResponseBody, _ = b.encodeBody(response.RequestId, creeperResponse.MimeType, creeperResponse.Url) b.networkContainer.AddReady(creeperResponse) } } // mark the body as ready func (b *Browser) respFinishedHandler() autogcd.NetworkFinishedHandlerFunc { return func(tab *autogcd.Tab, requestId string, dataLength, timeStamp float64) { b.networkContainer.BodyReady(requestId) } } 1 2 3 4
  • 21.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA INJECTING JAVASCRIPT ▸ Extract JS libraries and versions ▸ Retire.js and Wappalyzer have some good pointers ▸ Created a JSON file with 86 frameworks ▸ Must wait for the page to be fully loaded
  • 22.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA INJECTING JAVASCRIPT - THE QUERIES { "libraries": [ { "url": "http://jquery.com/", "key": "jquery", "statement": "jQuery.fn.jquery" }, { "url": "https://jquerymobile.com/", "key": "jquery-mobile", "statement": "jQuery.mobile.version" }, { "url": "http://www.embeddedjs.com/", "key": "embeddedjs 1.0", "statement": "(typeof EJS === "function" && typeof EJS.Buffer === "function") ? "ejs 1.0":""" }, { "url": "http://www.embeddedjs.com/", "key": "embeddedjs 0.x", "statement": "(typeof EJS === "function" && typeof EjsScanner === "function") ? "ejs 0.x":""" } ] }
  • 23.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA INJECTING JAVASCRIPT - INJECTING for _, library := range JsLibs.Libraries { res, err := b.ExecuteScript(library.Statement) if err == nil && string(res) != "" { log.Printf("%s library result was: %sn", library.Key, string(res)) report.JavaScriptLibraries[library.Key] = string(res) } }
  • 24.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA INJECTING JAVASCRIPT - WHEN IS A PAGE DONE? ▸ DOMContentLoaded doesn’t handle dynamically loaded JS ▸ Listen for DOM change events ▸ Page loaded if no DOM change events occur for > 2 seconds ▸ Timeout after 5 seconds
  • 25.
  • 26.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA CHALLENGES - CONTAMINATION + + + + | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + + + + Start Capture Load URL Document Loaded Stop Capture
  • 27.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA CHALLENGES - CONTAMINATION - SOLUTION + + + + + + + | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | + + + + + + + Borrow Browser Start Capture Load URL Document Loaded Stop Capture Kill Browser Start/Add Pool
  • 28.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA CHALLENGES - CHROME BUG #1 ▸ Turns out opening tabs excessively can cause tabs to not respond to debugger protocol
  • 29.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA CHALLENGES - CHROME BUG #1 - SOLUTION ▸ Mark tabs as ‘dead’ ▸ If max dead tab count is reached, drain active URLs and kill chrome
  • 30.
  • 31.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA CHALLENGES - CHROME BUG #2 - CHRASHSAFARI.COM ▸ Would completely kill chrome *and* agent ▸ Lost all active tabs ▸ This site cost me about 2-3 weeks development time
  • 32.
    VERACODE ▸ Created killfacepackage ▸ Sends a notification to stop active work ▸ Worker count dynamically adjusted to 1 ▸ Pauses queue, runs all unfinished URLs again ▸ Once active count is 0, restart normally CREEPER AGENTS: GETTING THE DATA CHALLENGES - CRASHSAFARI.COM - SOLUTION
  • 33.
    VERACODE CREEPER AGENTS: GETTINGTHE DATA OTHER CHALLENGES ✘ NSQ messages too large, zipping ineffective ✓Split response data/report data ✘ Sites block AWS IP ranges, (craigslist.com etc) ☹ Timeout… ✘ Concurrency issues ✓ Very careful use of go routines, channels and timers. ✘ Site analysis failures/timeouts ✓ Try 3 times, keep track of retry state. ✓ During retry, open a new browser and work on additional url
  • 34.
    DB WRITERS &S3 STORING THE DATA WITH:
  • 35.
    VERACODE DB WRITERS: STORINGTHE DATA PREVIOUSLY… ▸ Creeper v0 had many problems ▸ RDS did not support PostgreSQL 9.5 ▸ Duplicate data ▸ For v1, wrote to disk, SHA1 of contents: ▸ /job/files/5/a/b/c/5abcfbe73e39e0572a939b09f1eb16d7.html ▸ v1 did not shard database tables ▸ Database tables were normalized ▸ Lock contention
  • 36.
    VERACODE DB WRITERS: STORINGTHE DATA DATABASE REFRESHER - NORMALIZING url header_name header_value http://veracode.com x-xss-protection 1; mode=block http://codeblue.jp x-xss-protection 1; mode=block http://google.jp x-xss-protection 1; mode=block report-uri … url header_name_id header_value_id http://veracode.com 0 0 http://codeblue.jp 0 0 http://google.jp 0 1 header_name_id header_name 0 x-xss-protection header_value_id header_value 0 1; mode=block 1 1; mode=block report-uri … NORMALIZED: FLATTENED:
  • 37.
    VERACODE DB WRITERS: STORINGTHE DATA CHALLENGES - GETTING THE DATA IN QUICKLY ▸ Get the data out of the DB writers as soon as possible ▸ Careful to not overload the database with many connections ▸ Reduce lock contention for writing
  • 38.
    VERACODE DB WRITERS: STORINGTHE DATA SOLUTION #1 - GETTING THE DATA IN QUICKLY ▸ DB Writers batch up reports and responses ▸ Inserted every 2.5-3.5 seconds ▸ Reduces number of required DB connections
  • 39.
    VERACODE DB WRITERS: STORINGTHE DATA SOLUTION #1 BATCHER func (b *Batcher) AddReport(r *creeper_types.CreeperReport) { select { case b.reportPool <- r: atomic.AddInt32(&b.reportCount, 1) } } func (b *Batcher) EmptyReports() []*creeper_types.CreeperReport { reports := make([]*creeper_types.CreeperReport, 0) for { select { case report := <-b.reportPool: reports = append(reports, report) default: return reports } } return nil }
  • 40.
    VERACODE DB WRITERS: STORINGTHE DATA SOLUTION #2 - GETTING THE DATA IN QUICKLY ▸ Insert into temporary table using COPY FROM ▸ Extracted from temporary table and INSERTed into final table. This allows for UPSERTS: INSERT INTO header_names (header_name) SELECT responses_tmp.header_name FROM responses_tmp ON CONFLICT DO NOTHING;
  • 41.
    VERACODE DB WRITERS: STORINGTHE DATA CHALLENGES - LARGE TABLES ▸ INSERT INTO … FROM SELECT … on a table with 80,000,000 rows ▸ As tables got bigger, db writers slowed down ▸ This is not scalable
  • 42.
    VERACODE DB WRITERS: STORINGTHE DATA SOLUTION - TABLE SHARDING ▸ Much like sharding for the file system ▸ Requires a key: ▸ URL ID. (Ex: 1,google.com 2,microsoft.com etc) ▸ Only large tables require sharding
  • 43.
    VERACODE shardKey % inputId shardKey= 1 shardKey = 2 shardKey = 3 DB DB WRITERS: STORING THE DATA TABLE SHARDING WRITER
  • 44.
    VERACODE DB WRITERS: STORINGTHE DATA CREATING A SHARD KEY ▸ Choose the number of times to shard your tables: ▸ shardKey = input_id % 32 ▸ Created PLpgSQL functions: ▸ create unlogged table if not exists job_0_responses ( response_id serial primary key, input_id integer not null, body_hash varchar(64) not null, resp_url bytea not null, resp_uuid varchar(64) unique not null, resp_type_id integer references resp_types (resp_type_id) not null, status_id integer references status_lines (status_id) not null, status_code integer, mime_type_id integer references mime_types (mime_type_id) not null, response_time bigint ); EXECUTE merge_headers(job, shardKey)
  • 45.
    VERACODE DB WRITERS: STORINGTHE DATA CONS WITH SHARDING ▸ Added complexity for querying ▸ Best to create a new table with all data for reporting ▸ In the future, may use Citus for sharding across multiple databases
  • 46.
    VERACODE DB WRITERS: STORINGTHE DATA RESPONSE DATA (JS/HTML)
  • 47.
    VERACODE ▸ S3 limits100/rps, but pushing 200-2000/rps ▸ Had to contact support ▸ Exponential Backoff, retry 10 times ▸ Hash is stored in response table ▸ HeadObject first to check existence, then PutObject ▸ HeadObjects are way cheaper DB WRITERS: STORING THE DATA MOVING TO S3
  • 48.
    VERACODE DB WRITERS: STORINGTHE DATA LASTLY… ▸ Created unlogged tables ▸ Modified PostgreSQL configuration: ▸ Set checkpoints 5 minutes (max) instead of 1 ▸ Enabled fsync ▸ Set max_wal_size 256
  • 49.
    THE RESULTS A LOOKAT THE DATA
  • 50.
    VERACODE THE RESULTS: ALOOK AT DATA SCAN STATISTICS Responses 72,193,155 Headers 525,385,900 JS Results 1,943,925 URLs w/Errors 67,315 Redirected to HTTPS 145,268 URLS w/CSP Violations 740 Scan Time 15 Hours Cost 343$ / 35063円
  • 51.
    VERACODE THE RESULTS: ALOOK AT DATA CSP VIOLATIONS ▸ 722 out of 4965 sites using CSP had violations ▸ Security sites: ▸ https://www.globalsign.com/en/, http://secunia.com/, ▸ https://lastpass.com/, https://www.avant.com/, http:// www.veracode.com/ ▸ Well known organizations: ▸ http://www.alibaba.com, https://www.doubleclickbygoogle.com ▸ https://mozillians.org/en-US/
  • 52.
    VERACODE THE RESULTS: ALOOK AT DATA SUM OF CSP VIOLATION TYPES 0 750 1500 2250 3000 SCRIPTSRC IMGSRC FRAMESRC FONTSRC STYLESRC CONNECTSRC MEDIASRC CHILDSRC OBJECTSRC BASEURI FORMACTIONMANIFESTSRC
  • 53.
    VERACODE THE RESULTS: ALOOK AT DATA TOP JAVASCRIPT LIBRARIES > 3000 0 200000 400000 600000 800000 JQUERY JQUERY-UI MODERNIZR JQUERY-UI-DIALOG YEPNOPE JQUERY-UI-AUTOCOMPLETE JQUERY-UI-TOOLTIP BOOTSTRAP HTML5SHIV UNDERSCORE JQUERY.PRETTYPHOTO PROTOTYPEJS DRUPAL MOOTOOLS MEJS BACKBONE.JS ANGULARJS FOUNDATION JWPLAYER REQUIREJS HANDLEBARS.JS HAMMERJS JPLAYER MUSTACHE.JS SCRIPTACULOUS SHADOWBOX ZEROCLIPBOARD YUI RAPHAEL DATATABLES KNOCKOUT
  • 54.
    VERACODE THE RESULTS: ALOOK AT DATA JAVASCRIPT ‘NEXTGEN’ FRAMEWORKS > 100 0 4500 9000 13500 18000 BACKBONE.JS ANGULARJS FOUNDATION YUI KNOCKOUT DOJO REACTJS MARIONETTEJS VUEJS EMBER METEOR MITHRIL EXTJS POLYMER
  • 55.
    VERACODE THE RESULTS: ALOOK AT DATA VULNERABILITY COUNTS 0 20000 40000 60000 80000 JQUERY JQUERY-UI-DIALOG JQUERY.PRETTYPHOTO ANGULARJS JQUERY-UI-TOOLTIP JPLAYER HANDLEBARS.JS ZEROCLIPBOARD MUSTACHE.JS YUI PROTOTYPEJS MEJS JWPLAYER DOJO EMBER TINYMCE PLUPLOAD JQUERY-MOBILE CKEDITOR
  • 56.
    VERACODE THE RESULTS: ALOOK AT DATA LONGEST SECURITY HEADER AWARD - HTTPS://WWW.INSIGHTGUIDES.COM/ Content-Security-Policy: default-src 'self' http://tagmanager.google.com https://tagmanager.google.com https://*.doubleclick.net http://*.doubleclick.net https://*.google- analytics.com http://*.google-analytics.com https://*.livechatinc.com http://*.livechatinc.com https://*.cloudfront.net http://*.cloudfront.net https://*.googleusercontent.com http:// *.googleusercontent.com https://www.bugherd.com http://www.bugherd.com https://*.braintreegateway.com http://*.braintreegateway.com https://www.biblioimages.com http:// www.biblioimages.com https://fonts.gstatic.com http://fonts.gstatic.com https://*.googleapis.com http://*.googleapis.com https://tripadvisor.com http://tripadvisor.com https:// *.gstatic.com http://*.gstatic.com https://www.tripadvisor.com http://www.tripadvisor.com https://www.insightguides.com http://www.insightguides.com https://rum- static.pingdom.net http://rum-static.pingdom.net https://rum-collector.pingdom.net http://rum-collector.pingdom.net https://*.youtube.com http://*.youtube.com https:// www.googleadservices.com http://www.googleadservices.com https://connect.facebook.net http://connect.facebook.net https://googleads.g.doubleclick.net http:// googleads.g.doubleclick.net https://www.facebook.com http://www.facebook.com https://cdn.inspectlet.com http://cdn.inspectlet.com https://hn.inspectlet.com http:// hn.inspectlet.com https://*.apa.yoda.site http://*.apa.yoda.site https://www.preprod.apa.yoda.site http://www.preprod.apa.yoda.site https://www.test.apa.yoda.site http:// www.test.apa.yoda.site https://www.google.com http://www.google.com https://www.google.pl http://www.google.pl https://www.google.co.uk http://www.google.co.uk https:// google.com http://google.com https://google.pl http://google.pl https://google.co.uk http://google.co.uk https://ethn.io http://ethn.io https://stats.g.doubleclick.net http:// stats.g.doubleclick.net https://platform.instagram.com http://platform.instagram.com https://instagram.com http://instagram.com https://www.instagram.com http:// www.instagram.com https://*.amazonaws.com http://*.amazonaws.com blob:; script-src 'self' http://www.googletagmanager.com https://www.googletagmanager.com http:// tagmanager.google.com https://tagmanager.google.com https://*.doubleclick.net http://*.doubleclick.net https://*.google-analytics.com http://*.google-analytics.com https:// *.livechatinc.com http://*.livechatinc.com https://*.cloudfront.net http://*.cloudfront.net https://*.googleusercontent.com http://*.googleusercontent.com https://www.bugherd.com http://www.bugherd.com https://*.braintreegateway.com http://*.braintreegateway.com https://www.biblioimages.com http://www.biblioimages.com https://fonts.gstatic.com http:// fonts.gstatic.com https://*.googleapis.com http://*.googleapis.com https://tripadvisor.com http://tripadvisor.com https://*.gstatic.com http://*.gstatic.com https://www.tripadvisor.com http://www.tripadvisor.com https://www.insightguides.com http://www.insightguides.com https://rum-static.pingdom.net http://rum-static.pingdom.net https://rum- collector.pingdom.net http://rum-collector.pingdom.net https://*.youtube.com http://*.youtube.com https://www.googleadservices.com http://www.googleadservices.com https:// connect.facebook.net http://connect.facebook.net https://googleads.g.doubleclick.net http://googleads.g.doubleclick.net https://www.facebook.com http://www.facebook.com https://cdn.inspectlet.com http://cdn.inspectlet.com https://hn.inspectlet.com http://hn.inspectlet.com https://*.apa.yoda.site http://*.apa.yoda.site https://www.preprod.apa.yoda.site http://www.preprod.apa.yoda.site https://www.test.apa.yoda.site http://www.test.apa.yoda.site https://www.google.com http://www.google.com https://www.google.pl http:// www.google.pl https://www.google.co.uk http://www.google.co.uk https://google.com http://google.com https://google.pl http://google.pl https://google.co.uk http://google.co.uk https://ethn.io http://ethn.io https://stats.g.doubleclick.net http://stats.g.doubleclick.net https://platform.instagram.com http://platform.instagram.com https://instagram.com http:// instagram.com https://www.instagram.com http://www.instagram.com https://*.amazonaws.com http://*.amazonaws.com 'unsafe-eval' 'unsafe-inline' https://apis.google.com blob:; connect-src * 'self' http://tagmanager.google.com https://tagmanager.google.com https://*.doubleclick.net http://*.doubleclick.net https://*.google-analytics.com http://*.google- analytics.com https://*.livechatinc.com http://*.livechatinc.com https://*.cloudfront.net http://*.cloudfront.net https://*.googleusercontent.com http://*.googleusercontent.com https:// www.bugherd.com http://www.bugherd.com https://*.braintreegateway.com http://*.braintreegateway.com https://www.biblioimages.com http://www.biblioimages.com https:// fonts.gstatic.com http://fonts.gstatic.com https://*.googleapis.com http://*.googleapis.com https://tripadvisor.com http://tripadvisor.com https://*.gstatic.com http://*.gstatic.com https://www.tripadvisor.com http://www.tripadvisor.com https://www.insightguides.com http://www.insightguides.com https://rum-static.pingdom.net http://rum-static.pingdom.net https://rum-collector.pingdom.net http://rum-collector.pingdom.net https://*.youtube.com http://*.youtube.com https://www.googleadservices.com http://www.googleadservices.com https://connect.facebook.net http://connect.facebook.net https://googleads.g.doubleclick.net http://googleads.g.doubleclick.net https://www.facebook.com http:// www.facebook.com https://cdn.inspectlet.com http://cdn.inspectlet.com https://hn.inspectlet.com http://hn.inspectlet.com https://*.apa.yoda.site http://*.apa.yoda.site https:// www.preprod.apa.yoda.site http://www.preprod.apa.yoda.site https://www.test.apa.yoda.site http://www.test.apa.yoda.site https://www.google.com http://www.google.com https:// www.google.pl http://www.google.pl https://www.google.co.uk http://www.google.co.uk https://google.com http://google.com https://google.pl http://google.pl https:// google.co.uk http://google.co.uk https://ethn.io http://ethn.io https://stats.g.doubleclick.net http://stats.g.doubleclick.net https://platform.instagram.com http:// platform.instagram.com https://instagram.com http://instagram.com https://www.instagram.com http://www.instagram.com https://*.amazonaws.com http://*.amazonaws.com blob:;
  • 57.
    VERACODE THE RESULTS: ALOOK AT DATA SOME OF MY FAVORITE HTTP STATUS LINES ▸ HTTP 500 access denied ("java.io.FilePermission" "D: homeXXXXXXXXX.comoriModelGlueunity eventrequestEventRequest.cfc" "read") ▸ HTTP 500 "Duplicate entry '1473335051' for key 'timestamp' SQL=INSERT INTO `#__zt_visitor_counter` (`id`,`timestamp`,`visits`,`guests`,`ipaddress`,`useragent`) VALUES (null, '1473335051', 1 , 1 , '54.208.81.16', ‘chrome')" ▸ HTTP 500 "Server Made Big Boo"
  • 58.
  • 59.
    VERACODE THE RESULTS: ALOOK AT DATA CONCLUSION ▸ Use NSQ, seriously. ▸ Concurrency can be difficult ▸ Batch data before inserting to DB ▸ If DB rows > a few million, consider sharding ▸ Test different types of table schema for performance ▸ Treat browsers like garbage and handle appropriately
  • 60.
    VERACODE THE RESULTS: ALOOK AT DATA QUESTIONS? ▸ twitter: @_wirepair ▸ github: wirepair ▸ gcd: https://github.com/wirepair/gcd ▸ autogcd: https://github.com/wirepair/autogcd ▸ killface: https://github.com/wirepair/killface ▸ Thanks to all my coworkers supporting and listening to my daily rants!