Software runs today’s business; however, security implications are often misunderstood, creating significant organizational risk. Poorly configured servers, 3rd-party software, and continuous release cycles put additional pressure on already stressed teams. Hackers no longer just exploit vulnerabilities in code -- faulty cloud deployments, weak database structures, and business logic problems are also easy targets for attackers. To reduce risk, you’ve got to audit your system in the same way an attacker would. This presentation demonstrates how attackers compromise the modern enterprise. For each attack demonstrated, mitigation practices will be discussed. WARNING: software will be harmed during this presentation. Viewer discretion advised.

2. Joe Basirico
Security Innovation
SVP Engineering
jbasirico@securityinnovation.com

3. About Security Innovation
• Authority in Software Security
• 15+ years research on software vulnerabilities
• Security testing methodology adopted by SAP,
Symantec, Microsoft and McAfee
• Authors of 18 books
• Helping organizations minimize risk
• Assessment: Show me the gaps
• Education: Guide me to the right decisions
• Standards: Set goals and make it easy and natural
• Tech-enabled services for both breadth and depth

4. Attackers Have Superpowers
4

5. Attackers View Software Differently
• Never OK with ignorance
• Identify things that are out of place quickly
• Have mental
• Horsepower: Ability to focus on difficult problems
• Agility: To quickly context switch
• Bandwidth: To hold many concepts in the mind
5
Phineas Fisher recently hacked into Cayman National Bank and Trust.
They wrote a large manifesto and guide, I’ll be lifting snippets out as
quotes throughout.
Manifesto and guide translated here: https://pastebin.com/8rXhtqgr

6. What are the Super Powers?
• Complete Knowledge of the System
• Good Imagination
• Creativity
• Observant
• Good Memory
• Evil Streak
6

7. They Build a
Complete Knowledge of the System
• What happens when I click the "login" button?
• Let’s talk technology
• Headers?
• Parameters?
• HTML Source?
• Where to ask more…
• Google
• Github
• StackOverflow
So I studied and practiced (see section 11), until I felt I was
ready to pay a visit to Hacking Team almost a year later. The
practice paid off, and this time I was able to make a
complete commitment from the company [7]. Before I
realized that I could enter with shellshock, I was willing to
spend happy whole months of life studying exploit
development and writing a reliable exploit for one of the
memory corruption vulnerabilities I had encountered.

8. They have a Good Imagination
How do people commonly use this technology stack?
• What are the common patterns people follow with this technology?
• And then what are some common mistakes made when developing
this type of thing?
• What could be running the back end?
• What assumptions were made?
• What mistakes might you make if implementing the same features?

9. They are Creative
9
https://absurd.design
Once they have a goal
they’re persistent
Never stop if they hit a
roadblock
They were using a remote citrix app …
to access the SWIFT network, where
each payment message … had to go
through three employees: one to
"create" the message, one to "verify"
it, and another to "authorize it."
Since I already had all their credentials
thanks to the keylogger, I could easily
perform all three steps myself.

11. They are Observant
• What is out of place?
• What has changed?
• Load times
• Technology
• URLs and Parameters
• Content Types
• Headers
• Typos

12. Have a Good Memory & Take Great
Notes
They Remember Everything,
or have tools and automation
to make up the difference
• Error Messages
• Encodings
• Page layouts
• Load times
• Extra Information

13. They Harness Their Evil Streak
• Steal credit card numbers
• Become an admin
• Siphon off cash
• Learn private information
• Send spam
• Gain persistence on the network
OK, we’ve found some issues, what
can we do with them?

14. Polling Question
What are those Super Powers again?
• complete knowledge, creativity, access to a super computer,
fedora, evil streak
• complete knowledge, good imagination, creativity,
observant, good memory, evil streak
• complete knowledge, observant, creativity, great developer,
good memory, evil streak
• creativity, good imagination, observant, good memory, great
time management, evil streak

15. All My Demos with CMD+CTRL
• CyberRange for AppSec awareness and education
• 7 Web Apps & an Android App
• Exploits detected automatically
• Designed for beginners, but scales to experts

16. Design Goals
• Engage users of all skill levels
• Lots of vulnerabilities that can be understood quickly
• No special tools needed
• Built-in hints
• Immediate feedback
• Easter eggs
• Realism
• Full Featured Sites with Real vulnerabilities

17. Methodology & Primary Test Cases
Explore &
Gather
What does this
do?
What do you
want to attack
first?
Anything out of
the ordinary?
Information
Disclosure
Passive
Active
Parameter
Tampering
Try flipping
some switches!
URLs
Forms
Cross Site
Scripting
Notice
anything
reflected back?
SQL
Injection
Let's get the
data!

18. Adjust Your Eyes
Keep your eye on the URL
Always view the source

19. Passive Recon
Anything the attacker can gain
without providing input
We already found the hidden
credentials and secret
message, what else can we
find?

20. Active Recon
Start rattling door handles
Control Characters are a
good place to start
What’s running? How do
we “feel” about it?
' < ; -- #

21. OSINT: OpSec is Hard
Open Source Intelligence (OSINT) –
Gathering data about people or systems that
is publicly available
• Remember Fjord Engineering?
• Who is that Arnold Character?
https://osintframework.com

22. Polling Question
Passive and Active Recon are types of what attack?
• Information disclosure
• Social Engineering
• Parameter tampering
• Cross Site Scripting
• Server Side Request Forgery
• SQL injection

23. Cross Site Scripting (XSS)
Mixing Code and Data using control characters
in the webpage
• Try this anywhere you control a value on the page
• HTML
• JavaScript
• Headers
• How is your input being encoded?
• Test Cases
• Change your input
• Try <marquee>
• Try <script>alert('XSS')</script>

24. SQL Injection
Mixing Code and Data using control characters
in Database Queries
• Try this on any input you think may use the database
• Textboxes, URL Parameters, dropdowns, hidden fields
• Start small, build more complex SQL Queries to manipulate the
database
• Test Cases
• Does ' Produce an error message?
• Think about how to manipulate the SQL command
SELECT * FROM USERS WHERE Username = 'joe' AND Password = '
I didn't get anywhere with Hacking Team, but I
was lucky with Gamma Group, and I was able to
hack their customer support portal with basic
sql injection and file upload vulnerabilities.

25. Post Exploitation
We have a toe hold in the application,
where does that lead us?

26. Thinking Differently

27. You don’t have to run faster than the bear
You just have to run faster than the guy next to you
-Jim Butcher
“I did not set out to hack a
specific bank, what I wanted
was to hack any bank, which
ends up being a much simpler
task.”

28. What can you do?
• Create a Culture of Security
• Define Standards and Policies
• Require Systems Updates and Patching
• Test and Define Authentication, Identity and Access Control
• Centralized, tuned Logs and Auditing
The best way to learn to hack is by hacking. Put
together a laboratory with virtual machines
and start testing things, taking a break to
investigate anything you don't understand.

29. Questions?

30. Joe Basirico
Security Innovation
SVP Engineering
jbasirico@securityinnovation.com