Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

It could happen to anyone - FrontEnd Connect 2017 Slide 1 It could happen to anyone - FrontEnd Connect 2017 Slide 2 It could happen to anyone - FrontEnd Connect 2017 Slide 3 It could happen to anyone - FrontEnd Connect 2017 Slide 4 It could happen to anyone - FrontEnd Connect 2017 Slide 5 It could happen to anyone - FrontEnd Connect 2017 Slide 6 It could happen to anyone - FrontEnd Connect 2017 Slide 7 It could happen to anyone - FrontEnd Connect 2017 Slide 8 It could happen to anyone - FrontEnd Connect 2017 Slide 9 It could happen to anyone - FrontEnd Connect 2017 Slide 10 It could happen to anyone - FrontEnd Connect 2017 Slide 11 It could happen to anyone - FrontEnd Connect 2017 Slide 12 It could happen to anyone - FrontEnd Connect 2017 Slide 13 It could happen to anyone - FrontEnd Connect 2017 Slide 14 It could happen to anyone - FrontEnd Connect 2017 Slide 15 It could happen to anyone - FrontEnd Connect 2017 Slide 16 It could happen to anyone - FrontEnd Connect 2017 Slide 17 It could happen to anyone - FrontEnd Connect 2017 Slide 18 It could happen to anyone - FrontEnd Connect 2017 Slide 19 It could happen to anyone - FrontEnd Connect 2017 Slide 20 It could happen to anyone - FrontEnd Connect 2017 Slide 21 It could happen to anyone - FrontEnd Connect 2017 Slide 22 It could happen to anyone - FrontEnd Connect 2017 Slide 23 It could happen to anyone - FrontEnd Connect 2017 Slide 24 It could happen to anyone - FrontEnd Connect 2017 Slide 25 It could happen to anyone - FrontEnd Connect 2017 Slide 26 It could happen to anyone - FrontEnd Connect 2017 Slide 27 It could happen to anyone - FrontEnd Connect 2017 Slide 28 It could happen to anyone - FrontEnd Connect 2017 Slide 29 It could happen to anyone - FrontEnd Connect 2017 Slide 30 It could happen to anyone - FrontEnd Connect 2017 Slide 31 It could happen to anyone - FrontEnd Connect 2017 Slide 32 It could happen to anyone - FrontEnd Connect 2017 Slide 33 It could happen to anyone - FrontEnd Connect 2017 Slide 34 It could happen to anyone - FrontEnd Connect 2017 Slide 35 It could happen to anyone - FrontEnd Connect 2017 Slide 36 It could happen to anyone - FrontEnd Connect 2017 Slide 37 It could happen to anyone - FrontEnd Connect 2017 Slide 38 It could happen to anyone - FrontEnd Connect 2017 Slide 39 It could happen to anyone - FrontEnd Connect 2017 Slide 40 It could happen to anyone - FrontEnd Connect 2017 Slide 41 It could happen to anyone - FrontEnd Connect 2017 Slide 42 It could happen to anyone - FrontEnd Connect 2017 Slide 43 It could happen to anyone - FrontEnd Connect 2017 Slide 44 It could happen to anyone - FrontEnd Connect 2017 Slide 45 It could happen to anyone - FrontEnd Connect 2017 Slide 46 It could happen to anyone - FrontEnd Connect 2017 Slide 47 It could happen to anyone - FrontEnd Connect 2017 Slide 48 It could happen to anyone - FrontEnd Connect 2017 Slide 49 It could happen to anyone - FrontEnd Connect 2017 Slide 50 It could happen to anyone - FrontEnd Connect 2017 Slide 51 It could happen to anyone - FrontEnd Connect 2017 Slide 52 It could happen to anyone - FrontEnd Connect 2017 Slide 53 It could happen to anyone - FrontEnd Connect 2017 Slide 54 It could happen to anyone - FrontEnd Connect 2017 Slide 55 It could happen to anyone - FrontEnd Connect 2017 Slide 56 It could happen to anyone - FrontEnd Connect 2017 Slide 57 It could happen to anyone - FrontEnd Connect 2017 Slide 58
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

2 Likes

Share

Download to read offline

It could happen to anyone - FrontEnd Connect 2017

Download to read offline

Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! Most sites are far more vulnerable to attack than they think. In this talk we’ll go through a series of hacking stories and breakdown the hack together to see exactly how they did it. By the end you’ll walk away perhaps a little bit more scared, but definitely armed with some great practices you can apply immediately to your own applications.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

It could happen to anyone - FrontEnd Connect 2017

  1. 1. Asim Hussain @jawache codecraft.tv microsoft.com
  2. 2. @jawache
  3. 3. @jawachePhoto by Kristina Flour on Unsplash
  4. 4. @jawachePhoto by Veri Ivanova on Unsplash
  5. 5. @jawacheMr Robot
  6. 6. @jawache
  7. 7. @jawachePhoto by Nolan Issac on Unsplash
  8. 8. On Premise Hardware OS App IaaS Hardware OS App PaaS Hardware OS App @jawache
  9. 9. Google App Engine Heroku Amazon Beanstalk Azure App Services
  10. 10. @jawache
  11. 11. @jawacheIt's Always Sunny In Philadelphia
  12. 12. @jawache
  13. 13. 'SELECT * FROM COMPANIES WHERE name =' + name; @jawache
  14. 14. SELECT * FROM COMPANIES WHERE name =; DROP TABLE "COMPANIES"; --LTD @jawache
  15. 15. @jawache
  16. 16. @jawache
  17. 17. @jawachePhoto by Braydon Anderson on Unsplash
  18. 18. @jawache
  19. 19. @jawache
  20. 20. @orange_8361
  21. 21. git push http://example.com @jawache
  22. 22. git push http://localhost @jawache
  23. 23. git push http://0 @jawache
  24. 24. git push http://0:9200/_shutdown @jawache
  25. 25. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto, server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache
  26. 26. http://0:8000/composer/send_email? to=orange@nogg& url=http://127.0.0.1:12345/foo @jawache
  27. 27. def send_email(request): try: recipients = request.GET['to'].split(',') url = request.GET['url'] proto, server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse() ... @jawache
  28. 28. rn @jawache
  29. 29. %0D%0A @jawache
  30. 30. http://127.0.0.1:12345/%0D%0Ahello%0D%0AFoo: @jawache
  31. 31. GET /%0D%0Ahello%0D%0AFoo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache
  32. 32. GET / hello Foo: HTTP/1.1 Host: 127.0.0.1:12345 Accept-Encoding: identity @jawache
  33. 33. ...:11211/%0D%0Aset%20key%200%20900%204%20data%0D%0A @jawache
  34. 34. GET / set key 0 900 4 data HTTP/1.1 Host: 127.0.0.1:11211 Accept-Encoding: identity @jawache
  35. 35. GET / set key 0 900 4 data HTTP/1.1 Host: 127.0.0.1:11211 Accept-Encoding: identity @jawache
  36. 36. code code @jawache
  37. 37. code code @jawache
  38. 38. DeprecatedInstanceVariableProxy @jawache
  39. 39. @jawache
  40. 40. @jawachePhoto by Kelly Sikkema on Unsplash
  41. 41. @jawache
  42. 42. @jawache
  43. 43. @jawache
  44. 44. @jawache
  45. 45. cross-env vs. crossenv @jawache
  46. 46. @jawachePhoto by Jairo Alzate on Unsplash
  47. 47. Stop pretending Don't assume Small vulnerability Don't trust anyone PaaS Sanitise Fix @jawache
  48. 48. https://www.pluralsight.com/courses/nodejs-security- express-angular-get-started/ @jawache
  49. 49. Asim Hussain @jawache codecraft.tv microsoft.com
  50. 50. Azure App Services https://aka.ms/azure-app-service-docs Google App Engine https://cloud.google.com/appengine/ Heroku https://heroku.com Amazon Beanstack http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html PaaS Platforms
  51. 51. Metasploit https://www.metasploit.com/ DropTables Company https://beta.companieshouse.gov.uk/company/10542519 SQLMap http://sqlmap.org/ How I Chained 4 vulnerabilities on GitHub Enterprise - Orange Tsai http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html Malicious packages in npm. Here’s what to do - Ivan Akulov https://iamakulov.com/notes/npm-malicious-packages/ Oscar Bolmsten on Twitter https://twitter.com/o_cee/status/892306836199800836
  52. 52. npm module sqlstring https://www.npmjs.com/package/sqlstring Exploit DB https://www.exploit-db.com/ Brian Clarke Security Course on Pluralsight https://www.pluralsight.com/courses/nodejs-security-express-angular-get-started/
  • tannerhodges

    Oct. 4, 2017
  • llukowski

    Sep. 25, 2017

Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! Most sites are far more vulnerable to attack than they think. In this talk we’ll go through a series of hacking stories and breakdown the hack together to see exactly how they did it. By the end you’ll walk away perhaps a little bit more scared, but definitely armed with some great practices you can apply immediately to your own applications.

Views

Total views

789

On Slideshare

0

From embeds

0

Number of embeds

1

Actions

Downloads

6

Shares

0

Comments

0

Likes

2

×