How hacking works - Web edition - Espen Sande-Larsen - NDC Sydney 2024

Learn how web hacking works, from SQL injection to XSS attacks. Understand hacker types, practice with CTF challenges, and discover how to build more secure applications.

Key takeaways
  • Modern web applications are complex and vulnerable to many types of exploits including SQL injection, XSS, template poisoning, prototype pollution, broken authentication and misconfigurations

  • Different types of hackers are categorized by “hat colors”:

    • White hats: Ethical hackers hired for pentesting
    • Black hats: Malicious hackers doing illegal activities
    • Grey hats: Break systems but may disclose findings
    • Red hats: Hunt other hackers and take down hacker organizations
    • Blue hats: Test pre-release software for companies
    • Green hats: New hackers starting their journey
  • CTFs (Capture The Flag) challenges are an excellent way to:

    • Learn security concepts hands-on
    • Practice adversarial techniques
    • Understand how vulnerabilities work
    • Build better, more secure software
  • OWASP (Open Web Application Security Project) provides critical resources:

    • Top 10 security risks list
    • Juice Shop vulnerable web app for practice
    • Guidelines and awareness about application security
  • Key recommendations for developers:

    • Be careful with third-party code and dependencies
    • Validate and vet libraries before using them
    • Test applications with adversarial mindset
    • Practice breaking your own code
    • Study common vulnerabilities and exploits
  • Common web vulnerabilities often arise from:

    • Trusting user input without proper validation
    • Misconfigurations in web servers/applications
    • Insecure deserialization of data
    • Undefined behaviors in functions/libraries
    • Hidden metadata in files that can be exploited
  • The CVE (Common Vulnerabilities and Exposures) database is a valuable resource for learning about known vulnerabilities and their fixes

  • Learning hacking techniques helps developers:

    • Think differently about security
    • Build more secure applications
    • Understand potential attack vectors
    • Identify vulnerabilities early