Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Thinking Like an Attacker
Search
Nick Le Mouton
February 05, 2018
Technology
0
100
Thinking Like an Attacker
Nick Le Mouton
February 05, 2018
Tweet
Share
Other Decks in Technology
See All in Technology
オブザーバビリティが広げる AIOps の世界 / The World of AIOps Expanded by Observability
aoto
PRO
0
250
「魔法少女まどか☆マギカ Magia Exedra」のグローバル展開を支える、開発チームと翻訳チームの「意識しない協創」を実現するローカライズシステム
gree_tech
PRO
0
430
【 LLMエンジニアがヒューマノイド開発に挑んでみた 】 - 第104回 Machine Learning 15minutes! Hybrid
soneo1127
0
240
20250903_1つのAWSアカウントに複数システムがある環境におけるアクセス制御をABACで実現.pdf
yhana
2
250
Language Update: Java
skrb
2
190
Jaws-ug名古屋_LT資料_20250829
azoo2024
3
210
AI エージェントとはそもそも何か? - 技術背景から Amazon Bedrock AgentCore での実装まで- / AI Agent Unicorn Day 2025
hariby
2
540
おやつは300円まで!の最適化を模索してみた
techtekt
PRO
0
250
絶対に失敗できないキャンペーンページの高速かつ安全な開発、WINTICKET × microCMS の開発事例
microcms
0
360
事業価値と Engineering
recruitengineers
PRO
8
5.4k
7月のガバクラ利用料が高かったので調べてみた
techniczna
3
810
生成AI時代に必要な価値ある意思決定を育てる「開発プロセス定義」を用いた中期戦略
kakehashi
PRO
1
250
Featured
See All Featured
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
31
2.2k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
44
2.5k
Faster Mobile Websites
deanohume
309
31k
Docker and Python
trallard
45
3.5k
Code Review Best Practice
trishagee
70
19k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
4k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
The Cult of Friendly URLs
andyhume
79
6.6k
The Power of CSS Pseudo Elements
geoffreycrofte
77
5.9k
Transcript
Thinking Like an Attacker (Hacking Your Own Organisation)
# whoami • Nick Le Mouton (@noodlesnz) • CTO Drugs.com
• Developer • Security • Operations
None
None
None
Googlebot
A2:2017 Broken Authentication
None
• Disconnect between security and developers • Security find vulnerabilities
• Developers fix vulnerabilities • Security often don’t impart how they found the vulnerabilities in the first place
• Best position to attack an application • Shift Mindset
• Logic and knowledge
None
None
Object Injection Example • A8:2017 Insecure Deserialization
None
None
GuzzleHttp\Cookie\CookieJar
Payload
None
None
Blind XSS • A7:2017-Cross-Site Scripting (XSS) • Security scan shows
no XSS vulnerability
XSS Hunter
So How Can I Do That? • Offensive Security Courses
• Hack Yourself First by Troy Hunt (pluralsight.com) • https://infosec101.nz/
• Start hacking things, find out what works and what
doesn’t • Damn Vulnerable Web Application (DVWA) • OWASP Juice Shop Project
CTFs • CTFLearn.com • Find upcoming online CTFs on ctftime.org
• Read write ups at ctftime.org/writeups
Thank You