Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Thinking Like an Attacker

Avatar for Nick Le Mouton Nick Le Mouton
February 05, 2018
Technology
0
100

Thinking Like an Attacker

Avatar for Nick Le Mouton

Nick Le Mouton

February 05, 2018
Tweet

Other Decks in Technology

See All in Technology
知覚とデザイン
Avatar for Rinchoku rinchoku
1
630
Oracle Database@Google Cloud:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
0
390
GPUをつかってベクトル検索を 扱う手法のお話し ~NVIDIA cuVSとCAGRA~
Avatar for fshuhe fshuhe
0
270
serverless team topology
Avatar for kensh _kensh
3
240
激動の時代を爆速リチーミングで乗り越えろ
Avatar for SansanTech sansantech
PRO
1
170
AIの個性を理解し、指揮する
Avatar for shoota shoota
3
480
進化する大規模言語モデル評価: Swallowプロジェクトにおける実践と知見
Avatar for Naoaki Okazaki chokkan
PRO
1
200
webpack依存からの脱却!快適フロントエンド開発をViteで実現する #vuefes
Avatar for 弁護士ドットコム bengo4com
4
3.7k
プロダクト開発と社内データ活用での、BI×AIの現在地 / Data_Findy
Avatar for Sansan R&D sansan_randd
1
640
AWSが好きすぎて、41歳でエンジニアになり、AAIを経由してAWSパートナー企業に入った話
Avatar for Yuuki Yamashita yama3133
2
190
How Fast Is Fast Enough? [PerfNow 2025]
Avatar for Tammy Everts tammyeverts
2
140
.NET 10のBlazorの期待の新機能
Avatar for tkym htkym
0
160

Featured

See All Featured
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
37
2.6k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
209
24k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
44
7.9k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
45
7.7k
Being A Developer After 40
Avatar for Adrian Kosmaczewski akosma
91
590k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.5k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
239
140k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
32
1.2k
Distributed Sagas: A Protocol for Coordinating Microservices
Avatar for Caitie McCaffrey caitiem20
333
22k
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
7
670
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
234
18k
How GitHub (no longer) Works
Avatar for Zach Holman holman
315
140k

Transcript

  1. Thinking Like an Attacker
 (Hacking Your Own Organisation)

  2. # whoami • Nick Le Mouton (@noodlesnz) • CTO Drugs.com

    • Developer • Security • Operations
  3. None
  4. None
  5. None

  6. Googlebot

  7. A2:2017 Broken Authentication

  8. None

  9. • Disconnect between security and developers • Security find vulnerabilities

    • Developers fix vulnerabilities • Security often don’t impart how they found the vulnerabilities in the first place

  10. • Best position to attack an application • Shift Mindset

    • Logic and knowledge
  11. None
  12. None

  13. Object Injection Example • A8:2017 Insecure Deserialization

  14. None
  15. None

  16. GuzzleHttp\Cookie\CookieJar

  17. Payload

  18. None
  19. None

  20. Blind XSS • A7:2017-Cross-Site Scripting (XSS) • Security scan shows

    no XSS vulnerability

  21. XSS Hunter

  22. So How Can I Do That? • Offensive Security Courses

    • Hack Yourself First by Troy Hunt (pluralsight.com) • https://infosec101.nz/

  23. • Start hacking things, find out what works and what

    doesn’t • Damn Vulnerable Web Application (DVWA) • OWASP Juice Shop Project

  24. CTFs • CTFLearn.com • Find upcoming online CTFs on ctftime.org

    • Read write ups at ctftime.org/writeups

  25. Thank You