Upgrade to Pro — share decks privately, control downloads, hide ads and more …

"Hack Yourself First" Workshop Slide Deck, Feb ...

Zoe Latchford
February 27, 2019
110

"Hack Yourself First" Workshop Slide Deck, Feb 2019

Zoe Latchford

February 27, 2019
Tweet

Transcript

  1. Because if we don’t, these kids are going to hack

    you Ryan Cleary, 19 (and his mum) Jake Davies, 18 (and his mum)
  2. Who are we protecting our assets from? Hacker Competency Hacker

    Resources Bored kids Pocket money Common Thieves Can invest where ROI makes sense Super Hackers $10.8B per annum
  3. Your Hacker Tools • A Wi-Fi connection • A mobile

    device you can configure a proxy on • Google Chrome – Or another browser with good dev tools • Fiddler – getfiddler.com – Or another HTTP proxy like charlesproxy.com
  4. What we’ll be covering Introduction – 30 mins 09:00 Discovering

    risks via the browser – 30 mins 09:30 Using an HTTP proxy – 30 mins 10:00 Break – 15 mins 10:30 XSS – 50 mins 10:45 SQL injection part 1 – 55 mins 11:35 Lunch – 1 hour 12:30 Password cracking – 50 mins 13:30 HTTPS – 60 mins 14:20 Break – 15 mins 15:20 Content Security Policy – 55 mins 15:35 Account Enumeration – 30 mins 16:30 Close 17:00
  5. Exercise 1 – Chrome developer tools • Familiarise yourself with

    the dev tools – Elements, network, cookies, console, por… uh, incognito • Create an account at hackyourselffirst.troyhunt.com Hacker Challenge 1: Identify three security risks with the registration process
  6. Exercise 2 – Using an HTTP proxy • Familiarise yourself

    with Fiddler – Watch requests and their headers, review response body and headers, use the composer to reissue request Hacker Challenge 2: Use Fiddler to vote multiple times on 1 car with your ID
  7. Understanding XSS mysite.com/?q=<script>alert('Yay XSS!');</script> <p>You searched for <%= Request.QueryString["q"] %></p>

    <p>You searched for <script>alert('Yay XSS!');</script></p> mysite.com/?q=ferrari <p>You searched for ferrari</p>
  8. Some quick XSS tips • Check the encoding context –

    You encode for HTML differently than for JavaScript • Check the encoding consistency – Often it’s manual and some characters are not encoded • Play with JavaScript to: – Manipulate the DOM, access cookies, load external resources
  9. Exercise 3 – XSS • Establish the encoding practices on

    the search page – What’s encoded, what’s not, what contexts are encoding • What can be accessed or manipulated in the DOM Hacker Challenge 3: Create an XSS attack that sends the auth cookie to another site
  10. Understanding SQLi mysite.com/?id=foo var query = "SELECT * FROM Widget

    WHERE Id = " query += Request.Query["id"] SELECT * FROM Widget WHERE Id = foo mysite.com/?id=1 SELECT * FROM Widget WHERE Id = 1 Invalid column name 'foo'
  11. Some quick SQLi tips • Think of SQL commands which

    disclose structure – sys.tables, sys.columns, system commands • Consider how you’d enumerate through records – Select top x rows asc then top 1 rows from that desc • Write out how you think the query works internally – SELECT * FROM Supercar ORDER BY [URL param]
  12. Exercise 4 – SQLi • Explore the database using error-based

    SQLi – Construct strings to disclose internal data – Cast things to invalid types to disclose via exceptions Hacker Challenge 4: Discover the version of the DB
  13. Understanding password hashing with salt passw0rd + random salt Hashing

    algorithm Output Store output and salt Retrieve output and salt for username and repeat process at login
  14. Understanding hash cracking • This is not about breaking the

    algorithm – You can’t “unhash” • It’s about repeating the hash-creation process – It’s just a question of speed…
  15. Some quick hash cracking tips • There are multiple ways

    to crack – Character space: [a-zA-Z0-9] – Dictionary: passw0rd, abc123, qwerty – Mutations: manipulation and substitution of characters • Cracking is all about time factor – it’s not “absolute” – How long to crack how much
  16. Exercise 5 – Password cracking • Cracking the Stratfor password

    hashes – Identify the hashing algorithm – Convert them to plain text Hacker Challenge 5: Use hashcat with the hashkiller dic to crack the Strafor hashes Hint: hashcat64.exe --help
  17. Some quick HTTPS tips • Consider everything sent over HTTP

    to be compromised • Also look at HTTPS content embedded in untrusted pages – Iframes – Links to HTTPS
  18. Exercise 6 – HTTPS • You can’t trust insecure login

    forms! – The form can be manipulated in transit – Manipulate it to capture the “secure” credentials in transit Hacker Challenge 6: Inject a JavaScript keylogger into an insecure login page using Fiddler script
  19. Without a CSP • Anything can be added to the

    page via a reflected XSS risk • Anything can be added to the DOM downstream of the server – …and you have no idea when this one is happening!
  20. With a CSP • The browser will only load resources

    you white-list – Local resources – Remote resources • Any violations can be reported – If you’re nervous, you always just report and not block
  21. Some quick CSP tips • Create a white list of

    what should be allowed to run • Start with nothing and see what breaks – In development! • Use the report feature to track exceptions – You’ll learn some interesting things…
  22. Exercise 7 – CSP • Your company’s website needs help!

    – They have no CSP – We can add one ourselves in transit Hacker Challenge 7: Write a CSP for your website and embed it using FiddlerScript
  23. Some quick account enumeration tips • There are usually multiple

    vectors for identifying the existence of an account • There may or may not be anti-automation defence – And it may be inconsistent across vectors • It may or may not even matter… – Very dependent on the nature of the site
  24. Exercise 8 – Account enumeration • Identify vectors for account

    enumeration – Think about how to “ask” the site about an account – Identify positive versus negative responses Hacker Challenge 8: Identify 3 sites you use that disclose the presence of your account