Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
München/HQ Bamberg Berlin Đà Nẵng Dresden Grenoble Hamburg Cologne Leipzig Nuremberg Prague Washington Zug
Hacking for fun...
20.04.2018 2
Free Wifi?
20.04.2018 3
20.04.2018 4
A day in the life of a hacker…
Morning
Afternoon
Evening
20.04.2018 5
A day in the life of a hacker…
Morning: Make some money at a developer conference
Afternoon
Evening
20.04.2018 6
Blackhat vs. Whitehat
20.04.2018 7
The Pineapple Attack
or
How to make some crypto coins at a conference …
20.04.2018 8
Free Wifi?
20.04.2018 9
Setup
20.04.2018 11
 hostapd: Create, configure and open an access point
 dnsmasq: DNS forwarding and DHCP
 Proxy
 run all H...
20.04.2018 13
The script
20.04.2018 14
Putting it all together
20.04.2018 15
20.04.2018 16
Profit!
20.04.2018 17
 Steal your sensitive data
 passwords
 banking data
 …
 Inject REAL malware into your browser
 Abuse v...
20.04.2018 18
How to protect?
20.04.2018 19
20.04.2018 20
 Do not blindly connect to any free wifi!!!!!1111
The User
20.04.2018 21
 Do not blindly connect to any free wifi!!!!!1111
 Prefer websites that use SSL
 Don’t do sensitive trans...
20.04.2018 22
 Use SSL/TLS
 an evil AP cannot inject into an encrypted connection
 Use HSTS (HTTP Strict Transport Secu...
20.04.2018 23
A day in the life of a hacker…
Morning: Make some money at a developer conference
Afternoon: Work for the cu...
20.04.2018 24
whoami
Dennis Stötzel
Managing Principal
Security Team
mgm technology partners Vietnam
 Born in Germany
 L...
20.04.2018 25
20.04.2018 26
We are proud of our 600+ engineers world wide
20.04.2018 27
We are happy to have 80+ employees here in Da Nang Vietnam
20.04.2018 28
We build software:
 Web and mobile
 Large enterprise customers in Germany
We make software secure:
 Secur...
20.04.2018 29
 Works only with the customer's consent
 only on an exactly defined scope
 only in an exactly defined tim...
20.04.2018 30
SQL Injection
20.04.2018 31
SQL Injection
Mr Dennis
Web
Application
SELECT user FROM employees
WHERE userid='Mr Dennis'
20.04.2018 32
SQL Injection
20.04.2018 33
SQL Injection
Web
Application
SELECT user FROM employees WHERE
userid='foo'
UNION
SELECT salary FROM employe...
20.04.2018 34
http://imgs.xkcd.com/comics/exploits_of_a_mom.png
20.04.2018 35
SQL Injection Consequences
 Several attacks can be conducted:
UNION SELECT balance FROM account;
; UPDATE i...
20.04.2018 36
 Prepared Statements
 Stored Procedures
 Defense-in-Depth
 Least privilege connections (database user ha...
20.04.2018 37
SQL Injection – Parameterized Queries
Language - Library Parameterized Query
Java - Standard String custname...
20.04.2018 38
 OWASP
https://www.owasp.org/index.php/SQL_Injection
https://www.owasp.org/index.php/SQL_Injection_Preventi...
20.04.2018 39
A day in the life of a hacker…
Morning: Make some money at a developer conference
Afternoon: Work for the cu...
20.04.2018 40
20.04.2018 41
 Curiosity for web application security
 Understanding of web and browser technologies
 HTTP, HTML, JS, S...
20.04.2018 42
20.04.2018 43
 https://itviec.com/it-jobs/junior-web-
application-security-engineer-mgm-
technology-partners-vietnam-3735...
20.04.2018 44
Innovation Implemented.
mgm technology partners Vietnam Co.,Ltd
07 Pasteur, Đà Nẵng, Vietnam
New office: 07 ...
Nächste SlideShare
Wird geladen in …5
×

[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Security Division at mgm technology partners Vietnam

199 Aufrufe

Veröffentlicht am

Have you ever wondered how a day at work looks like for a professional hacker? In this talk, Dennis Stötzel will give you an introduction to web application security and show you what a security expert does for a living.

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Security Division at mgm technology partners Vietnam

  1. 1. München/HQ Bamberg Berlin Đà Nẵng Dresden Grenoble Hamburg Cologne Leipzig Nuremberg Prague Washington Zug Hacking for fun and profit A day in the life of a professional hacker Dennis Stötzel 20/04/18
  2. 2. 20.04.2018 2 Free Wifi?
  3. 3. 20.04.2018 3
  4. 4. 20.04.2018 4 A day in the life of a hacker… Morning Afternoon Evening
  5. 5. 20.04.2018 5 A day in the life of a hacker… Morning: Make some money at a developer conference Afternoon Evening
  6. 6. 20.04.2018 6 Blackhat vs. Whitehat
  7. 7. 20.04.2018 7 The Pineapple Attack or How to make some crypto coins at a conference …
  8. 8. 20.04.2018 8 Free Wifi?
  9. 9. 20.04.2018 9 Setup
  10. 10. 20.04.2018 11  hostapd: Create, configure and open an access point  dnsmasq: DNS forwarding and DHCP  Proxy  run all HTTP traffic through the proxy  easily control the content of HTTP requests  Strip security headers: Take away unwanted HTTP headers  Content-Security-Policy  Strict-Transport-Security  Caching / compression  … The Parts
  11. 11. 20.04.2018 13 The script
  12. 12. 20.04.2018 14 Putting it all together
  13. 13. 20.04.2018 15
  14. 14. 20.04.2018 16 Profit!
  15. 15. 20.04.2018 17  Steal your sensitive data  passwords  banking data  …  Inject REAL malware into your browser  Abuse vulnerabilities in older browsers (or plugins like Flash)  gain control of your machine  make your computer a zombie What else COULD have happened?
  16. 16. 20.04.2018 18 How to protect?
  17. 17. 20.04.2018 19
  18. 18. 20.04.2018 20  Do not blindly connect to any free wifi!!!!!1111 The User
  19. 19. 20.04.2018 21  Do not blindly connect to any free wifi!!!!!1111  Prefer websites that use SSL  Don’t do sensitive transactions (like online banking) over an unknown wifi connection  Be careful when a website is suddenly HTTP instead of HTTPS  Use a VPN The User
  20. 20. 20.04.2018 22  Use SSL/TLS  an evil AP cannot inject into an encrypted connection  Use HSTS (HTTP Strict Transport Security)  to defend against SSL stripping  Strict-Transport-Security: max-age=31536000  https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet  Use HSTS preloading  https://hstspreload.org The Websites
  21. 21. 20.04.2018 23 A day in the life of a hacker… Morning: Make some money at a developer conference Afternoon: Work for the customer Evening
  22. 22. 20.04.2018 24 whoami Dennis Stötzel Managing Principal Security Team mgm technology partners Vietnam  Born in Germany  Lived in Bolivia (South America), Germany, Spain, Vietnam  Studied Mathematics in Munich, Germany  6 years security consulting and development  Specializations in security  Penetration tests  Consultings around Secure Software Development Lifecycle (SDLC)  Source code analysis
  23. 23. 20.04.2018 25
  24. 24. 20.04.2018 26 We are proud of our 600+ engineers world wide
  25. 25. 20.04.2018 27 We are happy to have 80+ employees here in Da Nang Vietnam
  26. 26. 20.04.2018 28 We build software:  Web and mobile  Large enterprise customers in Germany We make software secure:  Security consulting  Penetration testing  Developer training
  27. 27. 20.04.2018 29  Works only with the customer's consent  only on an exactly defined scope  only in an exactly defined time period  No illegal activities The Work of a Professional Penetration Tester
  28. 28. 20.04.2018 30 SQL Injection
  29. 29. 20.04.2018 31 SQL Injection Mr Dennis Web Application SELECT user FROM employees WHERE userid='Mr Dennis'
  30. 30. 20.04.2018 32 SQL Injection
  31. 31. 20.04.2018 33 SQL Injection Web Application SELECT user FROM employees WHERE userid='foo' UNION SELECT salary FROM employees WHERE userid LIKE '%' foo' UNION SELECT ...
  32. 32. 20.04.2018 34 http://imgs.xkcd.com/comics/exploits_of_a_mom.png
  33. 33. 20.04.2018 35 SQL Injection Consequences  Several attacks can be conducted: UNION SELECT balance FROM account; ; UPDATE interest SET ... ; DELETE ... ; INSERT ...  and access to the file system:  One vulnerable web application may compromise the security of the whole system CREATE TABLE footable(data longblob); // create BLOB table INSERT INTO footable(data) VALUES(0x4d5a90…610000); // _ fill table with binary UPDATE footable SET data=CONCAT(data, 0xaa270000…000000); // _ data […]; // _ SELECT data FROM footable INTO DUMPFILE 'C:/WINDOWS/Temp/nc.exe'; // drop finished trojan
  34. 34. 20.04.2018 36  Prepared Statements  Stored Procedures  Defense-in-Depth  Least privilege connections (database user having minimal access rights)  separated table spaces  Input Encoding  If dynamic SQL statements are required: SQL Injection - Countermeasures string strSanitizedInput = strInput.Replace("'", "''"); statement.executeQuery("SELECT * FROM MOVIES WHERE TITLE='" + StringEscapeUtils.escapeSql("McHale's Navy") + "'"); // org.apache.commons.lang
  35. 35. 20.04.2018 37 SQL Injection – Parameterized Queries Language - Library Parameterized Query Java - Standard String custname = request.getParameter("customerName"); String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); Java - Hibernate Query safeHQLQuery = session.createQuery("from Inventory where productID=:productid"); safeHQLQuery.setParameter("productid", userSuppliedParameter); .NET/C# String query = "SELECT account_balance FROM user_data WHERE user_name = ?"; try { OleDbCommand command = new OleDbCommand(query, connection); command.Parameters.Add(new OleDbParameter("customerName", CustomerName Name.Text)); OleDbDataReader reader = command.ExecuteReader(); // … } catch (OleDbException se) { // error handling } ASP.NET string sql = "SELECT * FROM Customers WHERE CustomerId = @CustomerId"; SqlCommand command = new SqlCommand(sql); command.Parameters.Add(new SqlParameter("@CustomerId", System.Data.SqlDbType.Int)); command.Parameters["@CustomerId"].Value = 1; PHP - PDO $stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)"); $stmt- >bindParam(':name', $name); $stmt->bindParam(':value', $value);
  36. 36. 20.04.2018 38  OWASP https://www.owasp.org/index.php/SQL_Injection https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet https://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet  SQL Injection Cheat Sheet http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/  Pentestmonkey Cheat Sheet http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet  sqlmap http://sqlmap.sourceforge.net/ SQL Injection – Further Reading
  37. 37. 20.04.2018 39 A day in the life of a hacker… Morning: Make some money at a developer conference Afternoon: Work for the customer Evening: Have a beer & hire some people
  38. 38. 20.04.2018 40
  39. 39. 20.04.2018 41  Curiosity for web application security  Understanding of web and browser technologies  HTTP, HTML, JS, SQL, etc.  Good English knowledge  University degree Profile
  40. 40. 20.04.2018 42
  41. 41. 20.04.2018 43  https://itviec.com/it-jobs/junior-web- application-security-engineer-mgm- technology-partners-vietnam-3735  Mail your CV to:  dennis.stoetzel@mgm-sp.com I want you!
  42. 42. 20.04.2018 44 Innovation Implemented. mgm technology partners Vietnam Co.,Ltd 07 Pasteur, Đà Nẵng, Vietnam New office: 07 Phan Chau Trinh, Đà Nẵng, Vietnam https://www.facebook.com/mgmTechnologyPartnersVietnam/ Dennis Stötzel Mobile +84 126 2529693 E-Mail dennis.stoetzel@mgm-sp.com PragMunich Berlin Hamburg Cologne NurembergGrenoble LeipzigDresdenBamberg Đà Nẵng ZugWashington

×