Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Thinking Like an Attacker

Avatar for Nick Le Mouton Nick Le Mouton
February 05, 2018
Technology
0
100

Thinking Like an Attacker

Avatar for Nick Le Mouton

Nick Le Mouton

February 05, 2018
Tweet

Other Decks in Technology

See All in Technology
オブザーバビリティが広げる AIOps の世界 / The World of AIOps Expanded by Observability
Avatar for Kento Kimura aoto
PRO
0
250
「魔法少女まどか☆マギカ Magia Exedra」のグローバル展開を支える、開発チームと翻訳チームの「意識しない協創」を実現するローカライズシステム
Avatar for gree_tech gree_tech
PRO
0
430
【 LLMエンジニアがヒューマノイド開発に挑んでみた 】 - 第104回 Machine Learning 15minutes! Hybrid
Avatar for soneo1127 soneo1127
0
240
20250903_1つのAWSアカウントに複数システムがある環境におけるアクセス制御をABACで実現.pdf
Avatar for yhana yhana
2
250
Language Update: Java
Avatar for Yuichi.Sakuraba skrb
2
190
Jaws-ug名古屋_LT資料_20250829
Avatar for Azoo azoo2024
3
210
AI エージェントとはそもそも何か? - 技術背景から Amazon Bedrock AgentCore での実装まで- / AI Agent Unicorn Day 2025
Avatar for Yoshitaka Haribara hariby
2
540
おやつは300円まで!の最適化を模索してみた
Avatar for PERSOL CAREER Dev | techtekt techtekt
PRO
0
250
絶対に失敗できないキャンペーンページの高速かつ安全な開発、WINTICKET × microCMS の開発事例
Avatar for microCMS microcms
0
360
事業価値と Engineering
Avatar for Recruit recruitengineers
PRO
8
5.4k
7月のガバクラ利用料が高かったので調べてみた
Avatar for 高橋広和 techniczna
3
810
生成AI時代に必要な価値ある意思決定を育てる「開発プロセス定義」を用いた中期戦略
Avatar for KAKEHASHI kakehashi
PRO
1
250

Featured

See All Featured
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
Avatar for Vitaly Friedman smashingmag
252
21k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
Avatar for Marc Duiker marcduiker
31
2.2k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.5k
Faster Mobile Websites
Avatar for Dean Hume deanohume
309
31k
Docker and Python
Avatar for Tania Allard trallard
45
3.5k
Code Review Best Practice
Avatar for Trisha Gee trishagee
70
19k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4k
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
Avatar for Aki / @LoveIdahoBurger aki_iinuma
126
53k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.6k
The Power of CSS Pseudo Elements
Avatar for Geoffrey Crofte geoffreycrofte
77
5.9k

Transcript

  1. Thinking Like an Attacker
 (Hacking Your Own Organisation)

  2. # whoami • Nick Le Mouton (@noodlesnz) • CTO Drugs.com

    • Developer • Security • Operations
  3. None
  4. None
  5. None

  6. Googlebot

  7. A2:2017 Broken Authentication

  8. None

  9. • Disconnect between security and developers • Security find vulnerabilities

    • Developers fix vulnerabilities • Security often don’t impart how they found the vulnerabilities in the first place

  10. • Best position to attack an application • Shift Mindset

    • Logic and knowledge
  11. None
  12. None

  13. Object Injection Example • A8:2017 Insecure Deserialization

  14. None
  15. None

  16. GuzzleHttp\Cookie\CookieJar

  17. Payload

  18. None
  19. None

  20. Blind XSS • A7:2017-Cross-Site Scripting (XSS) • Security scan shows

    no XSS vulnerability

  21. XSS Hunter

  22. So How Can I Do That? • Offensive Security Courses

    • Hack Yourself First by Troy Hunt (pluralsight.com) • https://infosec101.nz/

  23. • Start hacking things, find out what works and what

    doesn’t • Damn Vulnerable Web Application (DVWA) • OWASP Juice Shop Project

  24. CTFs • CTFLearn.com • Find upcoming online CTFs on ctftime.org

    • Read write ups at ctftime.org/writeups

  25. Thank You