Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Thinking Like an Attacker

Avatar for Nick Le Mouton Nick Le Mouton
February 05, 2018
Technology
0
100

Thinking Like an Attacker

Avatar for Nick Le Mouton

Nick Le Mouton

February 05, 2018
Tweet

Other Decks in Technology

See All in Technology
クラウド開発の舞台裏とSRE文化の醸成 / SRE NEXT 2025 Lunch Session
Avatar for kazeburo kazeburo
1
400
CDKコード品質UP!ナイスな自作コンストラクタを作るための便利インターフェース
Avatar for Haruka Sakihara harukasakihara
2
160
事例で学ぶ!B2B SaaSにおけるSREの実践例/SRE for B2B SaaS: A Real-World Case Study
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
1
270
推し書籍📚 / Books and a QA Engineer
Avatar for akihisa1210 ak1210
0
120
IPA&AWSダブル全冠が明かす、人生を変えた勉強法のすべて
Avatar for iwamot iwamot
PRO
2
220
Operating Operator
Avatar for Jun Kokatsu shhnjk
1
640
Lufthansa ®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for danielconkling870 lufthanahelpsupport
0
230
AWS CDK 開発を成功に導くトラブルシューティングガイド
Avatar for Ryota Nakajima wandora58
3
140
[SRE NEXT] ARR150億円_エンジニア140名_27チーム_17プロダクトから始めるSLO.pdf
Avatar for sato-s satos
3
1.7k
【LT会登壇資料】TROCCO新コネクタ「スマレジ」を活用した直営店データの分析
Avatar for sho choma kazari0425
1
140
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
Avatar for soudai sone soudai
PRO
54
22k
「Chatwork」のEKS環境を支えるhelmfileを使用したマニフェスト管理術
Avatar for hanayo04 hanayo04
1
210

Featured

See All Featured
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
Build your cross-platform service in a week with App Engine
Avatar for Jose L jlugia
231
18k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
95
14k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
207
24k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
26
2.9k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
8
700
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.5k
JavaScript: Past, Present, and Future - NDC Porto 2020
Avatar for David Neal reverentgeek
50
5.5k
Designing for Performance
Avatar for Lara Hogan lara
610
69k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
407
66k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
524
40k

Transcript

  1. Thinking Like an Attacker
 (Hacking Your Own Organisation)

  2. # whoami • Nick Le Mouton (@noodlesnz) • CTO Drugs.com

    • Developer • Security • Operations
  3. None
  4. None
  5. None

  6. Googlebot

  7. A2:2017 Broken Authentication

  8. None

  9. • Disconnect between security and developers • Security find vulnerabilities

    • Developers fix vulnerabilities • Security often don’t impart how they found the vulnerabilities in the first place

  10. • Best position to attack an application • Shift Mindset

    • Logic and knowledge
  11. None
  12. None

  13. Object Injection Example • A8:2017 Insecure Deserialization

  14. None
  15. None

  16. GuzzleHttp\Cookie\CookieJar

  17. Payload

  18. None
  19. None

  20. Blind XSS • A7:2017-Cross-Site Scripting (XSS) • Security scan shows

    no XSS vulnerability

  21. XSS Hunter

  22. So How Can I Do That? • Offensive Security Courses

    • Hack Yourself First by Troy Hunt (pluralsight.com) • https://infosec101.nz/

  23. • Start hacking things, find out what works and what

    doesn’t • Damn Vulnerable Web Application (DVWA) • OWASP Juice Shop Project

  24. CTFs • CTFLearn.com • Find upcoming online CTFs on ctftime.org

    • Read write ups at ctftime.org/writeups

  25. Thank You