Thinking Like an Attacker

Thinking Like an Attacker

Febff9750db96ee2cbf83c9ed5bfc2c3?s=128

Nick Le Mouton

February 05, 2018
Tweet

Transcript

  1. Thinking Like an Attacker
 (Hacking Your Own Organisation)

  2. # whoami • Nick Le Mouton (@noodlesnz) • CTO Drugs.com

    • Developer • Security • Operations
  3. None
  4. None
  5. None
  6. Googlebot

  7. A2:2017 Broken Authentication

  8. None
  9. • Disconnect between security and developers • Security find vulnerabilities

    • Developers fix vulnerabilities • Security often don’t impart how they found the vulnerabilities in the first place
  10. • Best position to attack an application • Shift Mindset

    • Logic and knowledge
  11. None
  12. None
  13. Object Injection Example • A8:2017 Insecure Deserialization

  14. None
  15. None
  16. GuzzleHttp\Cookie\CookieJar

  17. Payload

  18. None
  19. None
  20. Blind XSS • A7:2017-Cross-Site Scripting (XSS) • Security scan shows

    no XSS vulnerability
  21. XSS Hunter

  22. So How Can I Do That? • Offensive Security Courses

    • Hack Yourself First by Troy Hunt (pluralsight.com) • https://infosec101.nz/
  23. • Start hacking things, find out what works and what

    doesn’t • Damn Vulnerable Web Application (DVWA) • OWASP Juice Shop Project
  24. CTFs • CTFLearn.com • Find upcoming online CTFs on ctftime.org

    • Read write ups at ctftime.org/writeups
  25. Thank You