Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Thinking Like an Attacker
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Nick Le Mouton
February 05, 2018
Technology
0
100
Thinking Like an Attacker
Nick Le Mouton
February 05, 2018
Tweet
Share
Other Decks in Technology
See All in Technology
AIと新時代を切り拓く。これからのSREとメルカリIBISの挑戦
0gm
0
920
プロポーザルに込める段取り八分
shoheimitani
1
250
登壇駆動学習のすすめ — CfPのネタの見つけ方と書くときに意識していること
bicstone
3
100
Greatest Disaster Hits in Web Performance
guaca
0
240
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
10k
Amazon S3 Vectorsを使って資格勉強用AIエージェントを構築してみた
usanchuu
3
450
AIエージェントを開発しよう!-AgentCore活用の勘所-
yukiogawa
0
170
レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み
tatsukoni
0
220
Embedded SREの終わりを設計する 「なんとなく」から計画的な自立支援へ
sansantech
PRO
3
2.4k
What happened to RubyGems and what can we learn?
mikemcquaid
0
300
超初心者からでも大丈夫!オープンソース半導体の楽しみ方〜今こそ!オレオレチップをつくろう〜
keropiyo
0
110
予期せぬコストの急増を障害のように扱う――「コスト版ポストモーテム」の導入とその後の改善
muziyoshiz
1
1.9k
Featured
See All Featured
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
270
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
130k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
47
7.9k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
0
3.4k
Designing Experiences People Love
moore
144
24k
GitHub's CSS Performance
jonrohan
1032
470k
Utilizing Notion as your number one productivity tool
mfonobong
3
220
Google's AI Overviews - The New Search
badams
0
910
The agentic SEO stack - context over prompts
schlessera
0
640
エンジニアに許された特別な時間の終わり
watany
106
230k
The Power of CSS Pseudo Elements
geoffreycrofte
80
6.2k
The Language of Interfaces
destraynor
162
26k
Transcript
Thinking Like an Attacker (Hacking Your Own Organisation)
# whoami • Nick Le Mouton (@noodlesnz) • CTO Drugs.com
• Developer • Security • Operations
None
None
None
Googlebot
A2:2017 Broken Authentication
None
• Disconnect between security and developers • Security find vulnerabilities
• Developers fix vulnerabilities • Security often don’t impart how they found the vulnerabilities in the first place
• Best position to attack an application • Shift Mindset
• Logic and knowledge
None
None
Object Injection Example • A8:2017 Insecure Deserialization
None
None
GuzzleHttp\Cookie\CookieJar
Payload
None
None
Blind XSS • A7:2017-Cross-Site Scripting (XSS) • Security scan shows
no XSS vulnerability
XSS Hunter
So How Can I Do That? • Offensive Security Courses
• Hack Yourself First by Troy Hunt (pluralsight.com) • https://infosec101.nz/
• Start hacking things, find out what works and what
doesn’t • Damn Vulnerable Web Application (DVWA) • OWASP Juice Shop Project
CTFs • CTFLearn.com • Find upcoming online CTFs on ctftime.org
• Read write ups at ctftime.org/writeups
Thank You