How hacking works - Web edition - Espen Sande-Larsen - NDC Oslo 2024

CTFs (Capture The Flag) are engaging competitions that help develop offensive security skills and security awareness while learning in a safe, legal environment

Different types of hackers are classified by “hat colors”:

• Black hats: Malicious attackers
• White hats: Ethical hackers/security researchers
• Grey hats: Operating in between, sometimes breaking rules but not malicious
• Blue hats: Zero-day vulnerability hunters hired by corporations

Modern web vulnerabilities are more critical than traditional exploits:

• Cross-site scripting
• Template poisoning
• Broken authentication
• Third-party dependencies
• Supply chain attacks

Common exploit categories include:

• Buffer overflows/stack smashing
• Return-oriented programming (ROP)
• Cryptography attacks
• Forensics/log analysis
• Reverse engineering

Organizations like OWASP help manage and track vulnerabilities:

• Maintain vulnerability databases (CVE)
• Publish security guidelines
• Create training resources like Juice Shop
• Track critical security risks

Key security considerations:

• Don’t blindly trust third-party code
• Test applications from an offensive mindset
• Consider security during design phase
• Keep up with new vulnerability types
• Validate all inputs thoroughly

Learning resources available:

• HackTheBox
• TryHackMe
• PicoCTF
• CTF competitions at security conferences
• OWASP training materials