SlideShare a Scribd company logo

How to strengthen CTF Web skills for beginners

kazkiti
kazkiti

How to strengthen the CTF Web field for beginners !! Although you are studying the CTF web field, are you worried that you can't solve it in production? For those who have such problems, I will explain how to strengthen the web field based on my experience. (study group) https://yahoo-osaka.connpass.com/event/149524/

Software
1 of 38
Download to read offline
How to strengthen the CTF Web field for beginners 2019/10/16 Panasonic Corporation Product Security Center Verification Measures Department Tomohisa Maeda 『Mix Leap Study #52 - The forefront of cyber security 』
Self-introduction ■name Maeda Tomohisa Twitter: @kazkiti_ctf ■Career Graduated from Graduate School of Mechanical Engineering Joined Panasonic Corporation ・ Design/manufacturing quality consultant 9 years ・ System Engineer(SIer) 2 years ・ Security engineer 5.5 years (Incumbent) Engaged in vulnerability diagnosis, threat analysis, design support, etc.
Career and achievements such as CTF ■Career and achievements such as CTF second place second place championship 2016 2017 2018 20192015 Entered SECCON domestic finals Medical security hacking contest in Japan Started CTF in Japan Started CTF around the world Started bug bounty Established our CTF team (Pwnasonic)
Questionnaire 1. Do you know CTF? 2. Have you ever participated in CTF?
Why did I decide to do CTF? Since becoming a security engineer Year zero~ Actually, I was a beginner who didn't even know Cookie … ↓ Acquisition of basic technical skills through vulnerability diagnosis work First year~ Promoting vulnerability diagnosis work by one person … I was always worried “Isn't it leaking the vulnerability?” I felt “Web application vulnerability diagnosis is deep” ↓ Further technical improvement is required! Concentrate resources on web apps! (choice and focus) ↓ The CTF Web field was selected as a means of growth for “enjoying technical improvements and utilizing them in business”
When I started the CTF Web field ■Features of the CTF Web field ・The range of questions is too wide! ・There are too many types of vulnerabilities! ↓ ・ So I don't know where to start! PHP Python Node.js MySQL SQLite postgresql SSTI XSS Apache nginx LFI RFI SSRF html css javascript XXE LDAP SQL OAuth2.0 SAML Ruby java CVE OIDC JSON windows Linux IIS Perl serialization XML MSSQL oracleSSO JWT NoSQLXPATH AWS S3 Cloudfront Lambda
The study method I tried for the time being (failure story) ■My failure story ・ For the time being, the question frequency is high “Let's be able to solve 100% of the SQL injection problem!” I started studying. ↓ ・ However, SQL injection is deep and falls into a quagmire ...
Start CTF seriously (2017~) Change of mind
■Purpose Purpose/Means/Resource reservation ■Resource reservation Prepare to dedicate every weekend to CTF ※CTF is mostly held on weekends Do CTF around the world to do the numbers Sites that summarize CTF schedules around the world http://ctftime.org ■Means Improve technical skills and utilize them in business
■Goal setting ※How far do you want to be able to solve? Goal setting / quantification The difficulty level (Accuracy rate[%]) Number of teams that solved the problem Number of teams that solved one or more questions in total Technical ability to solve 0-1% Technical ability to solve 1-5% Technical ability to solve 5-10% Technical ability to solve 10-20% Technical ability to solve 20-40% Technical ability to solve 40-100% World TOP10 Japan top class Senior Intermediate Beginner Inexperienced CTF ■Grasping current ability ※ Measured and defined several times My ability at that time was all solved at the difficulty level (correct answer rate 30%) ⇒ Beginner level ■Approximate relationship between technical skills and difficulty ※ Measured and defined several times =
Enter the correct answer rate in write-up (solution), and grasp your ability In this way I wrote the correct answer rate and was grasping my ability every day. 【 advantage 】 ・It became easier to take countermeasures because the strengths and weaknesses of the field were identified with objective indicators.
Measures by difficulty level
Technical ability to solve 40-100% Inexperienced CTF
What should we do to be able to solve the accuracy rate of 40-100%? ■Inexperienced CTF ・ People who do not have enough security technology ・ People who have IT-related technology such as development technology (Example of development technology) ・Understanding the basics of the website (html, css, javascript, etc.) ・Ability to read and understand programming languages ・How to use git ・Setting of HTTP server (Apache / nginx etc.)
Example problem:TokyoWesterns CTF 4th 2018 (1/2) The following PHP source code can be obtained by accessing the URL [Goal] Flag is displayed
Example problem:TokyoWesterns CTF 4th 2018 (2/2) 【Breakthrough point】 Ability to read code ・ Set auth to action parameter ・ Set the hashed_password parameter to c019f6e5cd8aa0bbbcc6e994a54c757e ・ Set user or pass parameter to empty (do not overwrite hashed_password) [Goal] Flag is displayed (Detailed explanation)https://ctftime.org/writeup/10891
Technical ability to solve 20-40% Beginner
What should we do to be able to solve the accuracy rate of 20-40%? ■Issues that require knowledge/investigation of security ・CTF for beginners (picoCTF, etc.) ・Same problem as previous questions (check write-up) ※Once a question is asked, it becomes a known problem even if the difficulty level is high ・Books (Security Contest Challenge Book etc.) ・Known famous vulnerabilities ※Ability to investigate attack methods of vulnerabilities with CVE and solve them in time ※Persons in charge of incident response work are good at
Example problem:ENCRYPT CTF 2019 (1/2) When accessing the URL, the following html response is obtained 【Breakthrough point】 Basic knowledge of security ・Since it is 32 hexadecimal digits, it is MD5 of the hash value ・Since MD5 cannot be calculated backwards, it must be searched lexicographically.
Example problem:ENCRYPT CTF 2019 (2/2) Since the previous value was 100, Let's calculate and send MD5 values ??from 0 to 101! [Goal] Flag was obtained (Detailed explanation)https://ctftime.org/writeup/14332
Have you stopped around here? Let's aim for the next level soon!
Technical ability to solve 10-20% Intermediate
What should we do to be able to solve the accuracy rate of 10-20%? ■Environmental construction ability 1.Problems that cannot be solved without an environment (e.g.1)SSRF problem ⇒ DNSRebinding ※DNS server required (e.g.2)XSS problem ※HTTP server required 2.The difficulty can be reduced if the environment is built and trial and error (e.g.1) Problems with source code ※Trial and error can be done in a server ⇒PHP,Python,Node.js etc. (e.g.2)SQL Injection ※A trial and error is possible by setting up a SQL server ■Measures ・Set up an EC2 server with an AWS account ※1 year free ・Domain registration with DNS ※ About 100 yen per year ・Know how to set up servers in various languages using container technology (Docker, etc.) Try various servers and make trial and error!important
Example problem:angstromCTF 2019 (1/1) 【Breakthrough point】 ・Once Node.js server was set up, it was trial and error in the environment of NoSQL injection. (Detailed explanation)https://ctftime.org/writeup/14922
Technical ability to solve 5-10% Senior
What should we do to be able to solve the accuracy rate of 5-10%? ■Comprehensive power 1.BlackList-Bypass problems ・SQL injection ・OS command injection ・SSTI(Server Side Template Injection) ・Arbitrary code execution ■Measures ・Examine the functions in advance in a comprehensive manner ・Check specifications/RFC in advance
Example problem:TokyoWesterns CTF 4th 2018(1/2)
Example problem:TokyoWesterns CTF 4th 2018(2/2) 【Breakthrough point】 ・ I was exhaustively examining functions that could execute arbitrary code from SSTI [Goal] Flag was obtained Blacklist (Detailed explanation)https://ctftime.org/writeup/10895
Technical ability to solve 1-5% Japan top class
What should we do to be able to solve the accuracy rate of 1-5%? ■Ability to enumerate attack scenarios ・Rare vulnerabilities (difficult to find) ・XSS and CSS injection by relative path overwrite attack ・XSS by Cache-Poisoning ・LDAP injection ・Complex problems with other fields such as binary/crypto ■Measures ・Keep all vulnerabilities known and discoverable ・Collecting cutting-edge information on a daily basis
Example problem:Meepwn CTF Quals 2019 (1/2)
Example problem:Meepwn CTF Quals 2019 (2/2) [Goal] Flag was obtained Final attack URL 【Breakthrough point】 ・ Understand XSS by relative path overwrite attack, which is a rare vulnerability ※After that, create an attack URL according to the conditions. (Detailed explanation)https://ctftime.org/writeup/10442
Technical ability to solve 1-5% World TOP10
What should we do to be able to solve the accuracy rate of 0-1%? Throw away something important in life! Every day, I’ll devote myself thoroughly I'll try my best. First break through one point focusing on some vulnerabilities XSS Payload <script>alert(1)</scrip> What is XST ... Danger
Example problem:Tokyo Westerns CTF 3rd 2017 (1/2) Accessing the HTTP server via the proxy server, The source code is given as follows Also, the flag location is under the network of the Web server Located on another local server 【Breakthrough point】 ・2 years of study and information gathering every day focusing on XSS ・It took 14 hours to solve this question ... ・I feel like I lost something important in my life ...
Example problem:Tokyo Westerns CTF 3rd 2017 (2/2) ▼Flow to final attack code completion Read because the Python code was given ↓ Found XSS vulnerability in Referer header ※Usually, the Referer header is URL encoded, so XSS is not possible. However, XSS was possible because of a special proxy. ↓ Since the location of Flag is a local IP address, Brute force the local IP address using XSS Network investigation and found that 192.169.0.4 exists ↓ Again with XSS, for obtaining the flag of 192.168.0.4 Complete the final attack code (Detailed explanation)https://ctftime.org/writeup/7461
まとめ Make good use of CTF with pleasure Let's improve our technical skills!
Thank you for listening.

Recommended

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven DevelopmentJason Ragsdale
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Including security in devops
Including security in devopsIncluding security in devops
Including security in devopsJérémy Matos
 
ISTQB Certified Tester Exam Question Papers and Answers - 11
ISTQB Certified Tester Exam Question Papers and Answers - 11ISTQB Certified Tester Exam Question Papers and Answers - 11
ISTQB Certified Tester Exam Question Papers and Answers - 11BDDazza
 
Design Sprints
Design SprintsDesign Sprints
Design SprintsKate Hanson
 
Design talk
Design talkDesign talk
Design talkKate Hanson
 
1 page consulting for security
1 page consulting for security1 page consulting for security
1 page consulting for securityTomorrow Growth-for
 

Recommended

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven DevelopmentJason Ragsdale
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
Including security in devops
Including security in devopsIncluding security in devops
Including security in devopsJérémy Matos
 
ISTQB Certified Tester Exam Question Papers and Answers - 11
ISTQB Certified Tester Exam Question Papers and Answers - 11ISTQB Certified Tester Exam Question Papers and Answers - 11
ISTQB Certified Tester Exam Question Papers and Answers - 11BDDazza
 
Design Sprints
Design SprintsDesign Sprints
Design SprintsKate Hanson
 
Design talk
Design talkDesign talk
Design talkKate Hanson
 
1 page consulting for security
1 page consulting for security1 page consulting for security
1 page consulting for securityTomorrow Growth-for
 
HOW TO START (ANYTHING ABOUT CODE).pptx
HOW TO START (ANYTHING ABOUT CODE).pptxHOW TO START (ANYTHING ABOUT CODE).pptx
HOW TO START (ANYTHING ABOUT CODE).pptxssuser62b2da
 
Down With JavaScript!
Down With JavaScript!Down With JavaScript!
Down With JavaScript!Garth Gilmour
 
Intro To AOP
Intro To AOPIntro To AOP
Intro To AOPelliando dias
 
English_Resume_KexiongSong
English_Resume_KexiongSongEnglish_Resume_KexiongSong
English_Resume_KexiongSongKexiong Song
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringAndrew Kirkpatrick
 
Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"Fwdays
 
Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Как да станем софтуерни инженери и да стартираме ИТ бизнес?Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Как да станем софтуерни инженери и да стартираме ИТ бизнес?Svetlin Nakov
 
Tdd is not about testing (C++ version)
Tdd is not about testing (C++ version)Tdd is not about testing (C++ version)
Tdd is not about testing (C++ version)Gianluca Padovani
 
Advanced web application architecture - Talk
Advanced web application architecture - TalkAdvanced web application architecture - Talk
Advanced web application architecture - TalkMatthias Noback
 
Codeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansaiCodeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansaiFlorent Batard
 
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020OdessaJS Conf
 
Code Refactoring
Code RefactoringCode Refactoring
Code RefactoringMilan Vukoje
 
Universal apps lightning talk
Universal apps lightning talk Universal apps lightning talk
Universal apps lightning talk Elyse Kolker Gordon
 
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docxDesign Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docxcarolinef5
 
ASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big DealASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big DealJim Duffy
 
Bcc exceed ste_cert
Bcc exceed ste_certBcc exceed ste_cert
Bcc exceed ste_certSusan L.
 
Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)Thinkful
 
TDD and Simple Design Workshop - Session 1 - March 2019
TDD and Simple Design Workshop - Session 1 - March 2019TDD and Simple Design Workshop - Session 1 - March 2019
TDD and Simple Design Workshop - Session 1 - March 2019Paulo Clavijo
 
Adtech scala-performance-tuning-150323223738-conversion-gate01
Adtech scala-performance-tuning-150323223738-conversion-gate01Adtech scala-performance-tuning-150323223738-conversion-gate01
Adtech scala-performance-tuning-150323223738-conversion-gate01Giridhar Addepalli
 
Adtech x Scala x Performance tuning
Adtech x Scala x Performance tuningAdtech x Scala x Performance tuning
Adtech x Scala x Performance tuningYosuke Mizutani
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 

More Related Content

Similar to How to strengthen CTF Web skills for beginners

HOW TO START (ANYTHING ABOUT CODE).pptx
HOW TO START (ANYTHING ABOUT CODE).pptxHOW TO START (ANYTHING ABOUT CODE).pptx
HOW TO START (ANYTHING ABOUT CODE).pptxssuser62b2da
 
Down With JavaScript!
Down With JavaScript!Down With JavaScript!
Down With JavaScript!Garth Gilmour
 
English_Resume_KexiongSong
English_Resume_KexiongSongEnglish_Resume_KexiongSong
English_Resume_KexiongSongKexiong Song
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringAndrew Kirkpatrick
 
Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"Fwdays
 
Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Как да станем софтуерни инженери и да стартираме ИТ бизнес?Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Как да станем софтуерни инженери и да стартираме ИТ бизнес?Svetlin Nakov
 
Tdd is not about testing (C++ version)
Tdd is not about testing (C++ version)Tdd is not about testing (C++ version)
Tdd is not about testing (C++ version)Gianluca Padovani
 
Advanced web application architecture - Talk
Advanced web application architecture - TalkAdvanced web application architecture - Talk
Advanced web application architecture - TalkMatthias Noback
 
Codeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansaiCodeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansaiFlorent Batard
 
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020OdessaJS Conf
 
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docxDesign Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docxcarolinef5
 
ASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big DealASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big DealJim Duffy
 
Bcc exceed ste_cert
Bcc exceed ste_certBcc exceed ste_cert
Bcc exceed ste_certSusan L.
 
Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)Thinkful
 
TDD and Simple Design Workshop - Session 1 - March 2019
TDD and Simple Design Workshop - Session 1 - March 2019TDD and Simple Design Workshop - Session 1 - March 2019
TDD and Simple Design Workshop - Session 1 - March 2019Paulo Clavijo
 
Adtech scala-performance-tuning-150323223738-conversion-gate01
Adtech scala-performance-tuning-150323223738-conversion-gate01Adtech scala-performance-tuning-150323223738-conversion-gate01
Adtech scala-performance-tuning-150323223738-conversion-gate01Giridhar Addepalli
 
Adtech x Scala x Performance tuning
Adtech x Scala x Performance tuningAdtech x Scala x Performance tuning
Adtech x Scala x Performance tuningYosuke Mizutani
 

Similar to How to strengthen CTF Web skills for beginners (20)

HOW TO START (ANYTHING ABOUT CODE).pptx
HOW TO START (ANYTHING ABOUT CODE).pptxHOW TO START (ANYTHING ABOUT CODE).pptx
HOW TO START (ANYTHING ABOUT CODE).pptx
 
Down With JavaScript!
Down With JavaScript!Down With JavaScript!
Down With JavaScript!
 
Intro To AOP
Intro To AOPIntro To AOP
Intro To AOP
 
English_Resume_KexiongSong
English_Resume_KexiongSongEnglish_Resume_KexiongSong
English_Resume_KexiongSong
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability Engineering
 
Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"
 
Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Как да станем софтуерни инженери и да стартираме ИТ бизнес?Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Как да станем софтуерни инженери и да стартираме ИТ бизнес?
 
Tdd is not about testing (C++ version)
Tdd is not about testing (C++ version)Tdd is not about testing (C++ version)
Tdd is not about testing (C++ version)
 
Advanced web application architecture - Talk
Advanced web application architecture - TalkAdvanced web application architecture - Talk
Advanced web application architecture - Talk
 
Codeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansaiCodeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansai
 
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
 
Code Refactoring
Code RefactoringCode Refactoring
Code Refactoring
 
Universal apps lightning talk
Universal apps lightning talk Universal apps lightning talk
Universal apps lightning talk
 
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docxDesign Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
 
ASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big DealASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big Deal
 
Bcc exceed ste_cert
Bcc exceed ste_certBcc exceed ste_cert
Bcc exceed ste_cert
 
Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)
 
TDD and Simple Design Workshop - Session 1 - March 2019
TDD and Simple Design Workshop - Session 1 - March 2019TDD and Simple Design Workshop - Session 1 - March 2019
TDD and Simple Design Workshop - Session 1 - March 2019
 
Adtech scala-performance-tuning-150323223738-conversion-gate01
Adtech scala-performance-tuning-150323223738-conversion-gate01Adtech scala-performance-tuning-150323223738-conversion-gate01
Adtech scala-performance-tuning-150323223738-conversion-gate01
 
Adtech x Scala x Performance tuning
Adtech x Scala x Performance tuningAdtech x Scala x Performance tuning
Adtech x Scala x Performance tuning
 

Recently uploaded

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityNeo4j
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 

Recently uploaded (20)

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
EY_Graph Database Powered Sustainability
EY_Graph Database Powered SustainabilityEY_Graph Database Powered Sustainability
EY_Graph Database Powered Sustainability
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 

How to strengthen CTF Web skills for beginners

  • 1. How to strengthen the CTF Web field for beginners 2019/10/16 Panasonic Corporation Product Security Center Verification Measures Department Tomohisa Maeda 『Mix Leap Study #52 - The forefront of cyber security 』
  • 2. Self-introduction ■name Maeda Tomohisa Twitter: @kazkiti_ctf ■Career Graduated from Graduate School of Mechanical Engineering Joined Panasonic Corporation ・ Design/manufacturing quality consultant 9 years ・ System Engineer(SIer) 2 years ・ Security engineer 5.5 years (Incumbent) Engaged in vulnerability diagnosis, threat analysis, design support, etc.
  • 3. Career and achievements such as CTF ■Career and achievements such as CTF second place second place championship 2016 2017 2018 20192015 Entered SECCON domestic finals Medical security hacking contest in Japan Started CTF in Japan Started CTF around the world Started bug bounty Established our CTF team (Pwnasonic)
  • 4. Questionnaire 1. Do you know CTF? 2. Have you ever participated in CTF?
  • 5. Why did I decide to do CTF? Since becoming a security engineer Year zero~ Actually, I was a beginner who didn't even know Cookie … ↓ Acquisition of basic technical skills through vulnerability diagnosis work First year~ Promoting vulnerability diagnosis work by one person … I was always worried “Isn't it leaking the vulnerability?” I felt “Web application vulnerability diagnosis is deep” ↓ Further technical improvement is required! Concentrate resources on web apps! (choice and focus) ↓ The CTF Web field was selected as a means of growth for “enjoying technical improvements and utilizing them in business”
  • 6. When I started the CTF Web field ■Features of the CTF Web field ・The range of questions is too wide! ・There are too many types of vulnerabilities! ↓ ・ So I don't know where to start! PHP Python Node.js MySQL SQLite postgresql SSTI XSS Apache nginx LFI RFI SSRF html css javascript XXE LDAP SQL OAuth2.0 SAML Ruby java CVE OIDC JSON windows Linux IIS Perl serialization XML MSSQL oracleSSO JWT NoSQLXPATH AWS S3 Cloudfront Lambda
  • 7. The study method I tried for the time being (failure story) ■My failure story ・ For the time being, the question frequency is high “Let's be able to solve 100% of the SQL injection problem!” I started studying. ↓ ・ However, SQL injection is deep and falls into a quagmire ...
  • 9. ■Purpose Purpose/Means/Resource reservation ■Resource reservation Prepare to dedicate every weekend to CTF ※CTF is mostly held on weekends Do CTF around the world to do the numbers Sites that summarize CTF schedules around the world http://ctftime.org ■Means Improve technical skills and utilize them in business
  • 10. ■Goal setting ※How far do you want to be able to solve? Goal setting / quantification The difficulty level (Accuracy rate[%]) Number of teams that solved the problem Number of teams that solved one or more questions in total Technical ability to solve 0-1% Technical ability to solve 1-5% Technical ability to solve 5-10% Technical ability to solve 10-20% Technical ability to solve 20-40% Technical ability to solve 40-100% World TOP10 Japan top class Senior Intermediate Beginner Inexperienced CTF ■Grasping current ability ※ Measured and defined several times My ability at that time was all solved at the difficulty level (correct answer rate 30%) ⇒ Beginner level ■Approximate relationship between technical skills and difficulty ※ Measured and defined several times =
  • 11. Enter the correct answer rate in write-up (solution), and grasp your ability In this way I wrote the correct answer rate and was grasping my ability every day. 【 advantage 】 ・It became easier to take countermeasures because the strengths and weaknesses of the field were identified with objective indicators.
  • 13. Technical ability to solve 40-100% Inexperienced CTF
  • 14. What should we do to be able to solve the accuracy rate of 40-100%? ■Inexperienced CTF ・ People who do not have enough security technology ・ People who have IT-related technology such as development technology (Example of development technology) ・Understanding the basics of the website (html, css, javascript, etc.) ・Ability to read and understand programming languages ・How to use git ・Setting of HTTP server (Apache / nginx etc.)
  • 15. Example problem:TokyoWesterns CTF 4th 2018 (1/2) The following PHP source code can be obtained by accessing the URL [Goal] Flag is displayed
  • 16. Example problem:TokyoWesterns CTF 4th 2018 (2/2) 【Breakthrough point】 Ability to read code ・ Set auth to action parameter ・ Set the hashed_password parameter to c019f6e5cd8aa0bbbcc6e994a54c757e ・ Set user or pass parameter to empty (do not overwrite hashed_password) [Goal] Flag is displayed (Detailed explanation)https://ctftime.org/writeup/10891
  • 17. Technical ability to solve 20-40% Beginner
  • 18. What should we do to be able to solve the accuracy rate of 20-40%? ■Issues that require knowledge/investigation of security ・CTF for beginners (picoCTF, etc.) ・Same problem as previous questions (check write-up) ※Once a question is asked, it becomes a known problem even if the difficulty level is high ・Books (Security Contest Challenge Book etc.) ・Known famous vulnerabilities ※Ability to investigate attack methods of vulnerabilities with CVE and solve them in time ※Persons in charge of incident response work are good at
  • 19. Example problem:ENCRYPT CTF 2019 (1/2) When accessing the URL, the following html response is obtained 【Breakthrough point】 Basic knowledge of security ・Since it is 32 hexadecimal digits, it is MD5 of the hash value ・Since MD5 cannot be calculated backwards, it must be searched lexicographically.
  • 20. Example problem:ENCRYPT CTF 2019 (2/2) Since the previous value was 100, Let's calculate and send MD5 values ??from 0 to 101! [Goal] Flag was obtained (Detailed explanation)https://ctftime.org/writeup/14332
  • 21. Have you stopped around here? Let's aim for the next level soon!
  • 22. Technical ability to solve 10-20% Intermediate
  • 23. What should we do to be able to solve the accuracy rate of 10-20%? ■Environmental construction ability 1.Problems that cannot be solved without an environment (e.g.1)SSRF problem ⇒ DNSRebinding ※DNS server required (e.g.2)XSS problem ※HTTP server required 2.The difficulty can be reduced if the environment is built and trial and error (e.g.1) Problems with source code ※Trial and error can be done in a server ⇒PHP,Python,Node.js etc. (e.g.2)SQL Injection ※A trial and error is possible by setting up a SQL server ■Measures ・Set up an EC2 server with an AWS account ※1 year free ・Domain registration with DNS ※ About 100 yen per year ・Know how to set up servers in various languages using container technology (Docker, etc.) Try various servers and make trial and error!important
  • 24. Example problem:angstromCTF 2019 (1/1) 【Breakthrough point】 ・Once Node.js server was set up, it was trial and error in the environment of NoSQL injection. (Detailed explanation)https://ctftime.org/writeup/14922
  • 25. Technical ability to solve 5-10% Senior
  • 26. What should we do to be able to solve the accuracy rate of 5-10%? ■Comprehensive power 1.BlackList-Bypass problems ・SQL injection ・OS command injection ・SSTI(Server Side Template Injection) ・Arbitrary code execution ■Measures ・Examine the functions in advance in a comprehensive manner ・Check specifications/RFC in advance
  • 28. Example problem:TokyoWesterns CTF 4th 2018(2/2) 【Breakthrough point】 ・ I was exhaustively examining functions that could execute arbitrary code from SSTI [Goal] Flag was obtained Blacklist (Detailed explanation)https://ctftime.org/writeup/10895
  • 29. Technical ability to solve 1-5% Japan top class
  • 30. What should we do to be able to solve the accuracy rate of 1-5%? ■Ability to enumerate attack scenarios ・Rare vulnerabilities (difficult to find) ・XSS and CSS injection by relative path overwrite attack ・XSS by Cache-Poisoning ・LDAP injection ・Complex problems with other fields such as binary/crypto ■Measures ・Keep all vulnerabilities known and discoverable ・Collecting cutting-edge information on a daily basis
  • 31. Example problem:Meepwn CTF Quals 2019 (1/2)
  • 32. Example problem:Meepwn CTF Quals 2019 (2/2) [Goal] Flag was obtained Final attack URL 【Breakthrough point】 ・ Understand XSS by relative path overwrite attack, which is a rare vulnerability ※After that, create an attack URL according to the conditions. (Detailed explanation)https://ctftime.org/writeup/10442
  • 33. Technical ability to solve 1-5% World TOP10
  • 34. What should we do to be able to solve the accuracy rate of 0-1%? Throw away something important in life! Every day, I’ll devote myself thoroughly I'll try my best. First break through one point focusing on some vulnerabilities XSS Payload <script>alert(1)</scrip> What is XST ... Danger
  • 35. Example problem:Tokyo Westerns CTF 3rd 2017 (1/2) Accessing the HTTP server via the proxy server, The source code is given as follows Also, the flag location is under the network of the Web server Located on another local server 【Breakthrough point】 ・2 years of study and information gathering every day focusing on XSS ・It took 14 hours to solve this question ... ・I feel like I lost something important in my life ...
  • 36. Example problem:Tokyo Westerns CTF 3rd 2017 (2/2) ▼Flow to final attack code completion Read because the Python code was given ↓ Found XSS vulnerability in Referer header ※Usually, the Referer header is URL encoded, so XSS is not possible. However, XSS was possible because of a special proxy. ↓ Since the location of Flag is a local IP address, Brute force the local IP address using XSS Network investigation and found that 192.169.0.4 exists ↓ Again with XSS, for obtaining the flag of 192.168.0.4 Complete the final attack code (Detailed explanation)https://ctftime.org/writeup/7461
  • 37. まとめ Make good use of CTF with pleasure Let's improve our technical skills!
  • 38. Thank you for listening.