How hacking works - Web edition - Espen Sande-Larsen - NDC Sydney 2024

Espen Sande-Larsen

Learn how web hacking works, from SQL injection to XSS attacks. Understand hacker types, practice with CTF challenges, and discover how to build more secure applications.

Key takeaways
  • Modern web applications are complex and vulnerable to many types of exploits including SQL injection, XSS, template poisoning, prototype pollution, broken authentication and misconfigurations

  • Different types of hackers are categorized by “hat colors”:

    • White hats: Ethical hackers hired for pentesting
    • Black hats: Malicious hackers doing illegal activities
    • Grey hats: Break systems but may disclose findings
    • Red hats: Hunt other hackers and take down hacker organizations
    • Blue hats: Test pre-release software for companies
    • Green hats: New hackers starting their journey
  • CTFs (Capture The Flag) challenges are an excellent way to:

    • Learn security concepts hands-on
    • Practice adversarial techniques
    • Understand how vulnerabilities work
    • Build better, more secure software
  • OWASP (Open Web Application Security Project) provides critical resources:

    • Top 10 security risks list
    • Juice Shop vulnerable web app for practice
    • Guidelines and awareness about application security
  • Key recommendations for developers:

    • Be careful with third-party code and dependencies
    • Validate and vet libraries before using them
    • Test applications with adversarial mindset
    • Practice breaking your own code
    • Study common vulnerabilities and exploits
  • Common web vulnerabilities often arise from:

    • Trusting user input without proper validation
    • Misconfigurations in web servers/applications
    • Insecure deserialization of data
    • Undefined behaviors in functions/libraries
    • Hidden metadata in files that can be exploited
  • The CVE (Common Vulnerabilities and Exposures) database is a valuable resource for learning about known vulnerabilities and their fixes

  • Learning hacking techniques helps developers:

    • Think differently about security
    • Build more secure applications
    • Understand potential attack vectors
    • Identify vulnerabilities early