NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security...
Transcript of NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security...
NCC HackersDinis Cruz, Chief Information Security Officer
15 November 2017
1
Quick Quiz
2
What’s the difference?
Which language?
What is it?
Recap on last session
3
XSS
XSS
5
● In the last session we completed a challenge on XSS (Cross Site Scripting)
● This is a technique used by hackers
● XSS is one of the most common weaknesses in software development
● XSS is a code injection attack that allows an attacker to execute malicious JavaScript in
another user's browser
● An attacker does not directly target his victim
■ They exploit a vulnerability in a website that the victim visits and gets the
website to deliver the malicious JavaScript for them
■ The malicious JavaScript appears to be a legitimate part of the website, the
website acts as an unintentional accomplice to the attacker
Recap on last session
6
● Last session we completed a challenge on XSS (Cross Site Scripting)
● This is a technique used by hackers
Any questions?
The Challenge
8‘XXS in practice’
How to hack an API…
...and get away with it
Hacking an API
10
We quickly took you through hacking an API, let’s spend some more time
on that...● API Security is something a company needs to take seriously
● Nobody is going to bail you out if your customers’ credit card numbers are stolen, or your
customers’ users’ personal dating data is published on a torrent website
Hacking an API
11
● If you’re going to attack an API, then you must understand its perimeters
○ Most APIs use the HTTP protocol
○ HTTP is a text-based protocol which is easy to read
Secure APIs
12
● An API isn’t secure just because it uses SSL (Secure Sockets Layer) or OAuth (Open Authorisation)
● Developers need to make sure that their APIs keep users’ data (usernames and passwords) secure, which means creating a layer of separation between their information and the client
● A hacker will be looking for security standards that aren’t used correctly
It happened to us...
13
The ‘hacker’s blog
14
The ‘hacker’s blog
15
He went into every detail!
http://www.ifc0nfig.com/moonpig-vulnerability/
16
The Challenge
17‘find a way to login as admin’
Find us on this Slack organisation
https://join.slack.com/t/ncc-hackers/signup