Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Thinking Like an Attacker
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Nick Le Mouton
February 05, 2018
Technology
0
100
Thinking Like an Attacker
Nick Le Mouton
February 05, 2018
Tweet
Share
Other Decks in Technology
See All in Technology
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
0
920
プロポーザルに込める段取り八分
shoheimitani
1
250
登壇駆動学習のすすめ — CfPのネタの見つけ方と書くときに意識していること
bicstone
3
100
Greatest Disaster Hits in Web Performance
guaca
0
240
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
10k
Amazon S3 Vectorsを使って資格勉強用AIエージェントを構築してみた
usanchuu
3
450
AIエージェントを開発しよう!-AgentCore活用の勘所-
yukiogawa
0
170
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
tatsukoni
0
220
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
sansantech
PRO
3
2.4k
What happened to RubyGems and what can we learn?
mikemcquaid
0
300
超初心者からでも大丈夫!オープンソース半導体の楽しみ方〜今こそ!オレオレチップをつくろう〜
keropiyo
0
110
予期せぬコストの急増を障害のように扱う――「コスト版ポストモーテム」の導入とその後の改善
muziyoshiz
1
1.9k
Featured
See All Featured
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
270
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
7.9k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
0
3.4k
Designing Experiences People Love
moore
144
24k
GitHub's CSS Performance
jonrohan
1032
470k
Utilizing Notion as your number one productivity tool
mfonobong
3
220
Google's AI Overviews - The New Search
badams
0
910
The agentic SEO stack - context over prompts
schlessera
0
640
エンジニアに許された特別な時間の終わり
watany
106
230k
The Power of CSS Pseudo Elements
geoffreycrofte
80
6.2k
The Language of Interfaces
destraynor
162
26k
Transcript
Thinking Like an Attacker (Hacking Your Own Organisation)
# whoami • Nick Le Mouton (@noodlesnz) • CTO Drugs.com
• Developer • Security • Operations
None
None
None
Googlebot
A2:2017 Broken Authentication
None
• Disconnect between security and developers • Security find vulnerabilities
• Developers fix vulnerabilities • Security often don’t impart how they found the vulnerabilities in the first place
• Best position to attack an application • Shift Mindset
• Logic and knowledge
None
None
Object Injection Example • A8:2017 Insecure Deserialization
None
None
GuzzleHttp\Cookie\CookieJar
Payload
None
None
Blind XSS • A7:2017-Cross-Site Scripting (XSS) • Security scan shows
no XSS vulnerability
XSS Hunter
So How Can I Do That? • Offensive Security Courses
• Hack Yourself First by Troy Hunt (pluralsight.com) • https://infosec101.nz/
• Start hacking things, find out what works and what
doesn’t • Damn Vulnerable Web Application (DVWA) • OWASP Juice Shop Project
CTFs • CTFLearn.com • Find upcoming online CTFs on ctftime.org
• Read write ups at ctftime.org/writeups
Thank You
SiteGround - Reliable hosting with speed, security, and support you can count on.
0gm
shoheimitani
bicstone
guaca
fullkaiten
usanchuu
yukiogawa
tatsukoni
sansantech
mikemcquaid
keropiyo
muziyoshiz
akashhashmi
pedronauck
eileencodes
katarinadahlin
moore
jonrohan
mfonobong
badams
schlessera
watany
geoffreycrofte
destraynor
