How hacking works - Web edition - Espen Sande-Larsen - NDC Oslo 2024

Learn how hackers exploit web vulnerabilities, explore different hacking approaches, and discover key security considerations to protect your applications with Espen Sande-Larsen.

Key takeaways
  • CTFs (Capture The Flag) are engaging competitions that help develop offensive security skills and security awareness while learning in a safe, legal environment

  • Different types of hackers are classified by “hat colors”:

    • Black hats: Malicious attackers
    • White hats: Ethical hackers/security researchers
    • Grey hats: Operating in between, sometimes breaking rules but not malicious
    • Blue hats: Zero-day vulnerability hunters hired by corporations
  • Modern web vulnerabilities are more critical than traditional exploits:

    • Cross-site scripting
    • Template poisoning
    • Broken authentication
    • Third-party dependencies
    • Supply chain attacks
  • Common exploit categories include:

    • Buffer overflows/stack smashing
    • Return-oriented programming (ROP)
    • Cryptography attacks
    • Forensics/log analysis
    • Reverse engineering
  • Organizations like OWASP help manage and track vulnerabilities:

    • Maintain vulnerability databases (CVE)
    • Publish security guidelines
    • Create training resources like Juice Shop
    • Track critical security risks
  • Key security considerations:

    • Don’t blindly trust third-party code
    • Test applications from an offensive mindset
    • Consider security during design phase
    • Keep up with new vulnerability types
    • Validate all inputs thoroughly
  • Learning resources available:

    • HackTheBox
    • TryHackMe
    • PicoCTF
    • CTF competitions at security conferences
    • OWASP training materials