How hacking works - Web edition - Espen Sande-Larsen - NDC Sydney 2024

Modern web applications are complex and vulnerable to many types of exploits including SQL injection, XSS, template poisoning, prototype pollution, broken authentication and misconfigurations

Different types of hackers are categorized by “hat colors”:

• White hats: Ethical hackers hired for pentesting
• Black hats: Malicious hackers doing illegal activities
• Grey hats: Break systems but may disclose findings
• Red hats: Hunt other hackers and take down hacker organizations
• Blue hats: Test pre-release software for companies
• Green hats: New hackers starting their journey

CTFs (Capture The Flag) challenges are an excellent way to:

• Learn security concepts hands-on
• Practice adversarial techniques
• Understand how vulnerabilities work
• Build better, more secure software

OWASP (Open Web Application Security Project) provides critical resources:

• Top 10 security risks list
• Juice Shop vulnerable web app for practice
• Guidelines and awareness about application security

Key recommendations for developers:

• Be careful with third-party code and dependencies
• Validate and vet libraries before using them
• Test applications with adversarial mindset
• Practice breaking your own code
• Study common vulnerabilities and exploits

Common web vulnerabilities often arise from:

• Trusting user input without proper validation
• Misconfigurations in web servers/applications
• Insecure deserialization of data
• Undefined behaviors in functions/libraries
• Hidden metadata in files that can be exploited

The CVE (Common Vulnerabilities and Exposures) database is a valuable resource for learning about known vulnerabilities and their fixes

Learning hacking techniques helps developers:

• Think differently about security
• Build more secure applications
• Understand potential attack vectors
• Identify vulnerabilities early