We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
How hacking works - Web edition - Espen Sande-Larsen - NDC Sydney 2024
Learn how web hacking works, from SQL injection to XSS attacks. Understand hacker types, practice with CTF challenges, and discover how to build more secure applications.
-
Modern web applications are complex and vulnerable to many types of exploits including SQL injection, XSS, template poisoning, prototype pollution, broken authentication and misconfigurations
-
Different types of hackers are categorized by “hat colors”:
- White hats: Ethical hackers hired for pentesting
- Black hats: Malicious hackers doing illegal activities
- Grey hats: Break systems but may disclose findings
- Red hats: Hunt other hackers and take down hacker organizations
- Blue hats: Test pre-release software for companies
- Green hats: New hackers starting their journey
-
CTFs (Capture The Flag) challenges are an excellent way to:
- Learn security concepts hands-on
- Practice adversarial techniques
- Understand how vulnerabilities work
- Build better, more secure software
-
OWASP (Open Web Application Security Project) provides critical resources:
- Top 10 security risks list
- Juice Shop vulnerable web app for practice
- Guidelines and awareness about application security
-
Key recommendations for developers:
- Be careful with third-party code and dependencies
- Validate and vet libraries before using them
- Test applications with adversarial mindset
- Practice breaking your own code
- Study common vulnerabilities and exploits
-
Common web vulnerabilities often arise from:
- Trusting user input without proper validation
- Misconfigurations in web servers/applications
- Insecure deserialization of data
- Undefined behaviors in functions/libraries
- Hidden metadata in files that can be exploited
-
The CVE (Common Vulnerabilities and Exposures) database is a valuable resource for learning about known vulnerabilities and their fixes
-
Learning hacking techniques helps developers:
- Think differently about security
- Build more secure applications
- Understand potential attack vectors
- Identify vulnerabilities early