device you can configure a proxy on • Google Chrome – Or another browser with good dev tools • Fiddler – getfiddler.com – Or another HTTP proxy like charlesproxy.com
risks via the browser – 30 mins 09:30 Using an HTTP proxy – 30 mins 10:00 Break – 15 mins 10:30 XSS – 50 mins 10:45 SQL injection part 1 – 55 mins 11:35 Lunch – 1 hour 12:30 Password cracking – 50 mins 13:30 HTTPS – 60 mins 14:20 Break – 15 mins 15:20 Content Security Policy – 55 mins 15:35 Account Enumeration – 30 mins 16:30 Close 17:00
the dev tools – Elements, network, cookies, console, por… uh, incognito • Create an account at hackyourselffirst.troyhunt.com Hacker Challenge 1: Identify three security risks with the registration process
with Fiddler – Watch requests and their headers, review response body and headers, use the composer to reissue request Hacker Challenge 2: Use Fiddler to vote multiple times on 1 car with your ID
You encode for HTML differently than for JavaScript • Check the encoding consistency – Often it’s manual and some characters are not encoded • Play with JavaScript to: – Manipulate the DOM, access cookies, load external resources
the search page – What’s encoded, what’s not, what contexts are encoding • What can be accessed or manipulated in the DOM Hacker Challenge 3: Create an XSS attack that sends the auth cookie to another site
WHERE Id = " query += Request.Query["id"] SELECT * FROM Widget WHERE Id = foo mysite.com/?id=1 SELECT * FROM Widget WHERE Id = 1 Invalid column name 'foo'
disclose structure – sys.tables, sys.columns, system commands • Consider how you’d enumerate through records – Select top x rows asc then top 1 rows from that desc • Write out how you think the query works internally – SELECT * FROM Supercar ORDER BY [URL param]
SQLi – Construct strings to disclose internal data – Cast things to invalid types to disclose via exceptions Hacker Challenge 4: Discover the version of the DB
to crack – Character space: [a-zA-Z0-9] – Dictionary: passw0rd, abc123, qwerty – Mutations: manipulation and substitution of characters • Cracking is all about time factor – it’s not “absolute” – How long to crack how much
hashes – Identify the hashing algorithm – Convert them to plain text Hacker Challenge 5: Use hashcat with the hashkiller dic to crack the Strafor hashes Hint: hashcat64.exe --help
forms! – The form can be manipulated in transit – Manipulate it to capture the “secure” credentials in transit Hacker Challenge 6: Inject a JavaScript keylogger into an insecure login page using Fiddler script
what should be allowed to run • Start with nothing and see what breaks – In development! • Use the report feature to track exceptions – You’ll learn some interesting things…
vectors for identifying the existence of an account • There may or may not be anti-automation defence – And it may be inconsistent across vectors • It may or may not even matter… – Very dependent on the nature of the site
enumeration – Think about how to “ask” the site about an account – Identify positive versus negative responses Hacker Challenge 8: Identify 3 sites you use that disclose the presence of your account