Thinking Like an Attacker

Febff9750db96ee2cbf83c9ed5bfc2c3?s=47 Nick Le Mouton
February 05, 2018
Technology
0
87

Thinking Like an Attacker

Febff9750db96ee2cbf83c9ed5bfc2c3?s=128

Nick Le Mouton

February 05, 2018
Tweet

Other Decks in Technology

See All in Technology
F3f3eec8682a76ed430054e8fd994f15?s=48 tmnakagawa
0
750
893dd6e1aa73c35621327c385cb27207?s=48 konnnnnok
0
130
30d97c8383a531c459ac210540b4eace?s=48 ry
1
210
5c3556b7c8c0ab6bc90a62161a8315f8?s=48 gracia
0
450
69b4dadef85efe143ac825b62d36ed7c?s=48 fruitriin
3
310
92e7a56a50535ef4c51c112c71d3f9c1?s=48 jkubota
0
270
53850955f15249a1a9dc49df6113e400?s=48 line_developers
0
130
C918bcbfa8df32567636c2d125a34fa1?s=48 sonnylazuardi
0
120
Cd891a89dfec6ca7bd278b5f5bd87c90?s=48 tzkoba
17
4.6k
2cf373725ded741824c50fd571eda6e1?s=48 udzura
0
1.1k
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
0
250
7507885e7de2f5fa2a3e80a445236d89?s=48 masatoka
0
170

Featured

See All Featured
1519587b1a0febb658c36c94f6272b0d?s=48 roundedbygravity
84
7.6k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
100
11k
D36d2c1821af9249b69ff7f5ed60529b?s=48 tammielis
236
23k
11c84dff30266b907714802088852677?s=48 jasonvnalue
80
7.8k
Ba530e786553390f3fb271848485681c?s=48 3n
159
22k
7edec06b5435e0dac07a353b2cc26253?s=48 geeforr
330
29k
2bb923c57a1fdc3a2eb484bb8d565fd2?s=48 ufuk
55
5.1k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
407
57k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
164
6.7k
Ecdea9b9714877b86cee08458f085481?s=48 trallard
6
240
4394ceb8b277f35ee3da7030384efb5d?s=48 davidbonilla
68
3.4k
3d6ace9554821d552146413bcdf874f6?s=48 trishagee
5
400

Transcript

  1. Thinking Like an Attacker
 (Hacking Your Own Organisation)

  2. # whoami • Nick Le Mouton (@noodlesnz) • CTO Drugs.com

    • Developer • Security • Operations
  3. None
  4. None
  5. None

  6. Googlebot

  7. A2:2017 Broken Authentication

  8. None

  9. • Disconnect between security and developers • Security find vulnerabilities

    • Developers fix vulnerabilities • Security often don’t impart how they found the vulnerabilities in the first place

  10. • Best position to attack an application • Shift Mindset

    • Logic and knowledge
  11. None
  12. None

  13. Object Injection Example • A8:2017 Insecure Deserialization

  14. None
  15. None

  16. GuzzleHttp\Cookie\CookieJar

  17. Payload

  18. None
  19. None

  20. Blind XSS • A7:2017-Cross-Site Scripting (XSS) • Security scan shows

    no XSS vulnerability

  21. XSS Hunter

  22. So How Can I Do That? • Offensive Security Courses

    • Hack Yourself First by Troy Hunt (pluralsight.com) • https://infosec101.nz/

  23. • Start hacking things, find out what works and what

    doesn’t • Damn Vulnerable Web Application (DVWA) • OWASP Juice Shop Project

  24. CTFs • CTFLearn.com • Find upcoming online CTFs on ctftime.org

    • Read write ups at ctftime.org/writeups

  25. Thank You