XSS session with Cobham Academy, Photobox and Toreon

1. NCC Hackers
Dinis Cruz, Chief Information Security Officer
17 January 2018
1

2. These are
your CV!
Quick quiz
What are those?!?!

3. Why Consider a Career in Cyber Security?
Whatever your interests or skills,
there’s an exciting job for you
A well paid career, with plenty of
employers looking for talent
A fast-paced career; it evolves quickly
and you’ll always be learning new tricks
You’ll help companies and
people stay safe by fighting
cybercrime
There will always be a high
demand for your skills
Solving cyber security problems
is a great challenge

4. Typical job roles
4
● Cyber Security Specialist
● Incident Response Centre
(IRC) Analyst
● Intelligence Researcher
● Penetration Tester
● Secure Operations Centre
(SOC) Analyst
● Security Engineer
...to name just a few

5. How much can I earn?
5
between
£20,000 - £130,000 per
year *
*depending on experience and chosen role

6. Coding skills are in constant demand
Steve Jobs said:
"Everybody in this country should learn how to program a computer...
because it teaches you how to think"
Learn to code and develop skills to excel in the world of cyber security
● It’s fun and highly rewarding (like solving puzzles)
● Your skills will always be in demand by employers
● Writing code allows you to automate yourself and speed up processes
● As a coder, you will increase your earning potential significantly
● Companies pay you to find problems within their systems (BugBounty)
● When you see your creation come to life, you’ll be amazed!

7. How learning to hack can help
Ethical hackers get paid to find holes in a company's infrastructure

11. Google’s Bug Bounty Programme
Today, you’ll
find issues
like these.
Google pay
between
$100 -
$7,500 for
Bug Bounty
Hunters
finding
similar issues.

12. Bug Bounty List
www.bugcrowd.com/bug-bounty-list/
A comprehensive, up to date
list of bug bounty and
disclosure programs from
across the web curated by the
Bugcrowd researcher
community.

13. You find holes. You get paid.
Bug Bounty Hunters will find vulnerabilities and report these to the company.
The company rewards you for letting them know what you’ve found.
The average bug bounty payout is $1,923
The highest bug bounty paid last year was
$30,000
...just for finding a vulnerability in a company's infrastructure
https://threatpost.com/average-bug-bounty-payments-
growing/126570/

14. GitHub
● GitHub is a website and service that geeks rave about all the time
● It’s a web-based Git (version control repository) and Internet hosting
service which is mostly used for code.

16. GitHub
Join the repository
https://github.com/photobox/NCCHackers

17. The Hackathon

18. What is a hackathon?

19. Who are Avatao?
Avatao is providing the Hackathon platform

20. Avatao
1. Go to https://platform.avatao.com
2. Login
3. Search for
Hackney Community College: Introduction to Security

21. 1st Avatao challenge … let’s do it!

22. XSS
22
● This is a technique used by hackers
● XSS is one of the most common weaknesses in software development
● XSS is a code injection attack that allows an attacker to execute malicious JavaScript in
another user's browser
● An attacker does not directly target his victim
■ They exploit a vulnerability in a website that the victim visits and gets the
website to deliver the malicious JavaScript for them
■ The malicious JavaScript appears to be a legitimate part of the website, the
website acts as an unintentional accomplice to the attacker

23. Recap on last session
23
● Last session we completed a challenge on XSS (Cross Site Scripting)
● This is a technique used by hackers

24. Find us on this Slack organisation
https://join.slack.com/t/ncc-hackers/signup