Hackers and developers are compared in the document. Hackers are described as skillful with deep technical understanding but often unsocial and focused on breaking systems. Developers are portrayed as true professionals who work with people to build applications and believe they can change the world. The document then provides examples of how hacking can look simple, such as cross-site scripting attacks on websites. It offers suggestions for prevention including input sanitization and access control. Later it discusses hacking in Node.js and risks of SQL and NoSQL injection. Finally it addresses how hacking and development skills could be applied for social good or security testing.
2. Introduction
Player 1 :
Hackers
Expert: Skillful, with detailed understanding
of some area deeply, often scarily deeply.
Unsocial: Don’t want to come out of the shell.
Breaker: Hack Apps
Cool: People think that they are cool and they
think they are Awesome.
Super Power: They believe that they can be
"Masters of the Universe"
#sitWDF
Controller: Can use lot of Systems and
Languages and get them talk to each other.
Social: True and broad professionals, work
with people and communicate well
Builder: Create Apps
Boring: There are other more important
things in life than just coding.
Super Power: They believe they can change
this World.
Player 2 :
Developers
VS
8. Hacking looks ‘Simple’
#sitWDF
XSS - Cross Site Scripting
JavaScript's Built-In Function(s)
replace (JS String replace Method): returns a string after a pattern
http://www.zaobao.com.sg/search/site/"xxxxxxxx'yyyyy</img
Possibilities:
http://www.zaobao.com.sg/search/site/"-confirm(1)-"
http://www.zaobao.com.sg/search/site/");confirm(1);("
http://www.zaobao.com.sg/search/site/");confirm(1);// (does not work because // is filtered)
10. Easy Rules
#sitWDF
Preventions
• XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP
• HTML5 Security Clean Sheet
• Secure Coding Practice Guidelines
• Use Clean URL's: https://www.site.com/news.php?id=1337 is way more tempting than
https://www.site.com/news/some-news-or-today
• Sanitize Inputs: Must for XSS
• Controlling Access Control: http://www.site.com/phpmyadmin gave us access to comple
te database! No injection, nothing
• Validation on Input.
• Use White-Listing
• Switch-Off Errors.
11. Easy Rules
#sitWDF
Remember
“Successful hackers are not just good at hacking. What makes a great hacker successful is
that they are excellent at understanding human nature.”
( Developers love their code, just like its their child. )
“Do not trust anything ever, specially when it comes to user input.”
“Security is about layers. It has to be because no single layer can be guaranteed to actually be
secure”
Security is nothing but an ILLUSION.
14. Hacking looks ‘Simple’
Even for
#sitWDF
Breaking SuccessFactors's XSS Filter
'-confirm(1)-' was enough to break SAP's SuccessFactors's XSS filter and were able to
make hundreds of web applications vulnerable ...
https://jobs.sap.com/talentcommunity/login/?returnurl="xxxxxxxx'yyyyy</img
Possibilities:
• </script><script>alert(1)</script>
• '-confirm(1)-'
15. Hacking looks ‘Simple’
Even for
#sitWDF
Breaking SuccessFactors's XSS Filter
https://jobs.sap.com/talentcommunity/login/?returnurl=</script><script>alert(1)</script>
Next Vector: <img src=x onerror=alert(1)>
16. Hacking looks ‘Simple’
Even for
#sitWDF
Breaking SuccessFactors's XSS Filter
Next Vector: <img src=x onerror=confirm(1)>
Next Vector: <a href=javascript:confirm(1)>click</a>
17. Hacking looks ‘Simple’
Even for
#sitWDF
Breaking SuccessFactors's XSS Filter
Next Vectors:
• <p onmouseover=prompt(1)>IamParagraph</p>
• <details ontoggle=confirm(1)>
• <input type=search onsearch=confirm(1)>
24. Hacking in Node.js
#sitWDF
Off Course XSS
Improper parsing of nested tags and Incomplete filtering of javascript: URIs
<s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s>
<a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a>
(With any Encoding)
25. Hacking in Node.js
#sitWDF
Server Side JavaScript Injection
Simple JS Command:
response.end(“Ended Response”);
[pid 25170] execve("/bin/sh", ["/bin/sh", "-c", "ls -l user input"],
26. Hacking in Node.js
#sitWDF
SQL and NoSQL Injection
Classic SQL Injection Bypass
SELECT * FROM users WHERE username = '$username' AND password = '$password‘
(SELECT * FROM users WHERE username = '' or 1=1--' AND password = '‘)
select author from books where id=$id -> (select author from books where id=2 or 1=1)
Statement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')");
stmt.execute();
(Robert'); DROP TABLE students; --)
db.users.find({username: username, password: password}); (NoSQL)
{ "username": {"$gt": ""},
"password": {"$gt": ""} }
27. Secure Node.js
#sitWDF
Protection
XSS Prevention
• Sanitize untrusted HTML
http://jsxss.com/en/index.html
https://github.com/theSmaw/Caja-HTML-Sanitizer
https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project
SSJSI Prevention
• Substitution of the eval() with the JSON.parse() function, the code is no longer injectable
• Use child_process.execFile or child_process.spawn instead of child_process.exec
28. Secure Node.js
#sitWDF
Protection
SQL and NoSQL Injection Prevention
• Using Parameterize SQL
var q = 'SELECT name FROM books WHERE id = $1'; client.query(q, ['3'], function(err, result) {});
• PreparedStatements avoid/prevent SQL Injection
Statement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)");
stmt.setString(1, user);
stmt.execute();
(Use the $in Operator to Match Values)
db.users.find({user: { $in: [user] }, pass: { $in: [pass] }}); (NoSQL)
30. Positive Side
• Social Good: find solution for social benefit, operations and emergencies
• Penetration Testing: to find vulnerabilities that an attacker could exploit
• open-source: much of this open-source code is produced, tested and
improved by hackers, usually like hackathons
#sitWDF
Good Cause
31. Negative Side
• Corruption of government officials (58.0%)
• Cyber-terrorism (44.8%)
• Corporate tracking of personal information (44.6%)
• Terrorist attacks (44.4%)
• Government tracking of personal information (41.4%)
• Bio-warfare (40.9%)
• Identity theft (39.6%)
• Economic collapse (39.2%)
• Running out of money in the future (37.4%)
• Credit card fraud (36.9%)
• Source: Chapman University
#sitWDF
Top 10 fears of 2015