SlideShare a Scribd company logo

How to strengthen the ctf web field for beginners(English)

kazkiti
kazkiti

How to strengthen the CTF Web field for beginners !! Although you are studying the CTF web field, are you worried that you can't solve it in production? For those who have such problems, I will explain how to strengthen the web field based on my experience. (study group) https://yahoo-osaka.connpass.com/event/149524/

Software
1 of 38
Download to read offline
How to strengthen the CTF Web field for beginners 2019/10/16 Panasonic Corporation Product Security Center Verification Measures Department Tomohisa Maeda 『Mix Leap Study #52 - The forefront of cyber security 』
Self-introduction ■name Maeda Tomohisa Twitter: @kazkiti_ctf ■Career Graduated from Graduate School of Mechanical Engineering Joined Panasonic Corporation ・ Design/manufacturing quality consultant 9 years ・ System Engineer(SIer) 2 years ・ Security engineer 5.5 years (Incumbent) Engaged in vulnerability diagnosis, threat analysis, design support, etc.
Career and achievements such as CTF ■Career and achievements such as CTF second place second place championship 2016 2017 2018 20192015 Entered SECCON domestic finals Medical security hacking contest in Japan Started CTF in Japan Started CTF around the world Started bug bounty Established our CTF team (Pwnasonic)
Questionnaire 1. Do you know CTF? 2. Have you ever participated in CTF?
Why did I decide to do CTF? Since becoming a security engineer Year zero~ Actually, I was a beginner who didn't even know Cookie … ↓ Acquisition of basic technical skills through vulnerability diagnosis work First year~ Promoting vulnerability diagnosis work by one person … I was always worried “Isn't it leaking the vulnerability?” I felt “Web application vulnerability diagnosis is deep” ↓ Further technical improvement is required! Concentrate resources on web apps! (choice and focus) ↓ The CTF Web field was selected as a means of growth for “enjoying technical improvements and utilizing them in business”
When I started the CTF Web field ■Features of the CTF Web field ・The range of questions is too wide! ・There are too many types of vulnerabilities! ↓ ・ So I don't know where to start! PHP Python Node.js MySQL SQLite postgresql SSTI XSS Apache nginx LFI RFI SSRF html css javascript XXE LDAP SQL OAuth2.0 SAML Ruby java CVE OIDC JSON windows Linux IIS Perl serialization XML MSSQL oracleSSO JWT NoSQLXPATH AWS S3 Cloudfront Lambda
The study method I tried for the time being (failure story) ■My failure story ・ For the time being, the question frequency is high “Let's be able to solve 100% of the SQL injection problem!” I started studying. ↓ ・ However, SQL injection is deep and falls into a quagmire ...
Start CTF seriously (2017~) Change of mind
■Purpose Purpose/Means/Resource reservation ■Resource reservation Prepare to dedicate every weekend to CTF ※CTF is mostly held on weekends Do CTF around the world to do the numbers Sites that summarize CTF schedules around the world http://ctftime.org ■Means Improve technical skills and utilize them in business
■Goal setting ※How far do you want to be able to solve? Goal setting / quantification The difficulty level (Accuracy rate[%]) Number of teams that solved the problem Number of teams that solved one or more questions in total Technical ability to solve 0-1% Technical ability to solve 1-5% Technical ability to solve 5-10% Technical ability to solve 10-20% Technical ability to solve 20-40% Technical ability to solve 40-100% World TOP10 Japan top class Senior Intermediate Beginner Inexperienced CTF ■Grasping current ability ※ Measured and defined several times My ability at that time was all solved at the difficulty level (correct answer rate 30%) ⇒ Beginner level ■Approximate relationship between technical skills and difficulty ※ Measured and defined several times =
Enter the correct answer rate in write-up (solution), and grasp your ability In this way I wrote the correct answer rate and was grasping my ability every day. 【 advantage 】 ・It became easier to take countermeasures because the strengths and weaknesses of the field were identified with objective indicators.
Measures by difficulty level
Technical ability to solve 40-100% Inexperienced CTF
What should we do to be able to solve the accuracy rate of 40-100%? ■Inexperienced CTF ・ People who do not have enough security technology ・ People who have IT-related technology such as development technology (Example of development technology) ・Understanding the basics of the website (html, css, javascript, etc.) ・Ability to read and understand programming languages ・How to use git ・Setting of HTTP server (Apache / nginx etc.)
Example problem:TokyoWesterns CTF 4th 2018 (1/2) The following PHP source code can be obtained by accessing the URL [Goal] Flag is displayed
Example problem:TokyoWesterns CTF 4th 2018 (2/2) 【Breakthrough point】 Ability to read code ・ Set auth to action parameter ・ Set the hashed_password parameter to c019f6e5cd8aa0bbbcc6e994a54c757e ・ Set user or pass parameter to empty (do not overwrite hashed_password) [Goal] Flag is displayed (Detailed explanation)https://ctftime.org/writeup/10891
Technical ability to solve 20-40% Beginner
What should we do to be able to solve the accuracy rate of 20-40%? ■Issues that require knowledge/investigation of security ・CTF for beginners (picoCTF, etc.) ・Same problem as previous questions (check write-up) ※Once a question is asked, it becomes a known problem even if the difficulty level is high ・Books (Security Contest Challenge Book etc.) ・Known famous vulnerabilities ※Ability to investigate attack methods of vulnerabilities with CVE and solve them in time ※Persons in charge of incident response work are good at
Example problem:ENCRYPT CTF 2019 (1/2) When accessing the URL, the following html response is obtained 【Breakthrough point】 Basic knowledge of security ・Since it is 32 hexadecimal digits, it is MD5 of the hash value ・Since MD5 cannot be calculated backwards, it must be searched lexicographically.
Example problem:ENCRYPT CTF 2019 (2/2) Since the previous value was 100, Let's calculate and send MD5 values ??from 0 to 101! [Goal] Flag was obtained (Detailed explanation)https://ctftime.org/writeup/14332
Have you stopped around here? Let's aim for the next level soon!
Technical ability to solve 10-20% Intermediate
What should we do to be able to solve the accuracy rate of 10-20%? ■Environmental construction ability 1.Problems that cannot be solved without an environment (e.g.1)SSRF problem ⇒ DNSRebinding ※DNS server required (e.g.2)XSS problem ※HTTP server required 2.The difficulty can be reduced if the environment is built and trial and error (e.g.1) Problems with source code ※Trial and error can be done in a server ⇒PHP,Python,Node.js etc. (e.g.2)SQL Injection ※A trial and error is possible by setting up a SQL server ■Measures ・Set up an EC2 server with an AWS account ※1 year free ・Domain registration with DNS ※ About 100 yen per year ・Know how to set up servers in various languages using container technology (Docker, etc.) Try various servers and make trial and error!important
Example problem:angstromCTF 2019 (1/1) 【Breakthrough point】 ・Once Node.js server was set up, it was trial and error in the environment of NoSQL injection. (Detailed explanation)https://ctftime.org/writeup/14922
Technical ability to solve 5-10% Senior
What should we do to be able to solve the accuracy rate of 5-10%? ■Comprehensive power 1.BlackList-Bypass problems ・SQL injection ・OS command injection ・SSTI(Server Side Template Injection) ・Arbitrary code execution ■Measures ・Examine the functions in advance in a comprehensive manner ・Check specifications/RFC in advance
Example problem:TokyoWesterns CTF 4th 2018(1/2)
Example problem:TokyoWesterns CTF 4th 2018(2/2) 【Breakthrough point】 ・ I was exhaustively examining functions that could execute arbitrary code from SSTI [Goal] Flag was obtained Blacklist (Detailed explanation)https://ctftime.org/writeup/10895
Technical ability to solve 1-5% Japan top class
What should we do to be able to solve the accuracy rate of 1-5%? ■Ability to enumerate attack scenarios ・Rare vulnerabilities (difficult to find) ・XSS and CSS injection by relative path overwrite attack ・XSS by Cache-Poisoning ・LDAP injection ・Complex problems with other fields such as binary/crypto ■Measures ・Keep all vulnerabilities known and discoverable ・Collecting cutting-edge information on a daily basis
Example problem:Meepwn CTF Quals 2019 (1/2)
Example problem:Meepwn CTF Quals 2019 (2/2) [Goal] Flag was obtained Final attack URL 【Breakthrough point】 ・ Understand XSS by relative path overwrite attack, which is a rare vulnerability ※After that, create an attack URL according to the conditions. (Detailed explanation)https://ctftime.org/writeup/10442
Technical ability to solve 1-5% World TOP10
What should we do to be able to solve the accuracy rate of 0-1%? Throw away something important in life! Every day, I’ll devote myself thoroughly I'll try my best. First break through one point focusing on some vulnerabilities XSS Payload <script>alert(1)</scrip> What is XST ... Danger
Example problem:Tokyo Westerns CTF 3rd 2017 (1/2) Accessing the HTTP server via the proxy server, The source code is given as follows Also, the flag location is under the network of the Web server Located on another local server 【Breakthrough point】 ・2 years of study and information gathering every day focusing on XSS ・It took 14 hours to solve this question ... ・I feel like I lost something important in my life ...
Example problem:Tokyo Westerns CTF 3rd 2017 (2/2) ▼Flow to final attack code completion Read because the Python code was given ↓ Found XSS vulnerability in Referer header ※Usually, the Referer header is URL encoded, so XSS is not possible. However, XSS was possible because of a special proxy. ↓ Since the location of Flag is a local IP address, Brute force the local IP address using XSS Network investigation and found that 192.169.0.4 exists ↓ Again with XSS, for obtaining the flag of 192.168.0.4 Complete the final attack code (Detailed explanation)https://ctftime.org/writeup/7461
まとめ Make good use of CTF with pleasure Let's improve our technical skills!
Thank you for listening.

Recommended

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
Jason Ragsdale
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
Including security in devops
Including security in devopsIncluding security in devops
Including security in devops
Jérémy Matos
 
ISTQB Certified Tester Exam Question Papers and Answers - 11
ISTQB Certified Tester Exam Question Papers and Answers - 11ISTQB Certified Tester Exam Question Papers and Answers - 11
ISTQB Certified Tester Exam Question Papers and Answers - 11
BDDazza
 
Design Sprints
Design SprintsDesign Sprints
Design Sprints
Kate Hanson
 
Design talk
Design talkDesign talk
Design talk
Kate Hanson
 
1 page consulting for security
1 page consulting for security1 page consulting for security
1 page consulting for security
Tomorrow Growth-for
 

Recommended

A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
Brian Levine
 
Test Driven Development
Test Driven DevelopmentTest Driven Development
Test Driven Development
Jason Ragsdale
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
Simone Onofri
 
Including security in devops
Including security in devopsIncluding security in devops
Including security in devops
Jérémy Matos
 
ISTQB Certified Tester Exam Question Papers and Answers - 11
ISTQB Certified Tester Exam Question Papers and Answers - 11ISTQB Certified Tester Exam Question Papers and Answers - 11
ISTQB Certified Tester Exam Question Papers and Answers - 11
BDDazza
 
Design Sprints
Design SprintsDesign Sprints
Design Sprints
Kate Hanson
 
Design talk
Design talkDesign talk
Design talk
Kate Hanson
 
1 page consulting for security
1 page consulting for security1 page consulting for security
1 page consulting for security
Tomorrow Growth-for
 
HOW TO START (ANYTHING ABOUT CODE).pptx
HOW TO START (ANYTHING ABOUT CODE).pptxHOW TO START (ANYTHING ABOUT CODE).pptx
HOW TO START (ANYTHING ABOUT CODE).pptx
ssuser62b2da
 
Down With JavaScript!
Down With JavaScript!Down With JavaScript!
Down With JavaScript!
Garth Gilmour
 
Intro To AOP
Intro To AOPIntro To AOP
Intro To AOP
elliando dias
 
English_Resume_KexiongSong
English_Resume_KexiongSongEnglish_Resume_KexiongSong
English_Resume_KexiongSong
Kexiong Song
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability Engineering
Andrew Kirkpatrick
 
Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"
Fwdays
 
Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Как да станем софтуерни инженери и да стартираме ИТ бизнес?Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Svetlin Nakov
 
Tdd is not about testing (C++ version)
Tdd is not about testing (C++ version)Tdd is not about testing (C++ version)
Tdd is not about testing (C++ version)
Gianluca Padovani
 
Advanced web application architecture - Talk
Advanced web application architecture - TalkAdvanced web application architecture - Talk
Advanced web application architecture - Talk
Matthias Noback
 
Codeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansaiCodeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansai
Florent Batard
 
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
OdessaJS Conf
 
Code Refactoring
Code RefactoringCode Refactoring
Code Refactoring
Milan Vukoje
 
Universal apps lightning talk
Universal apps lightning talk Universal apps lightning talk
Universal apps lightning talk
Elyse Kolker Gordon
 
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docxDesign Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
carolinef5
 
ASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big DealASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big Deal
Jim Duffy
 
Bcc exceed ste_cert
Bcc exceed ste_certBcc exceed ste_cert
Bcc exceed ste_cert
Susan L.
 
Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)
Thinkful
 
TDD and Simple Design Workshop - Session 1 - March 2019
TDD and Simple Design Workshop - Session 1 - March 2019TDD and Simple Design Workshop - Session 1 - March 2019
TDD and Simple Design Workshop - Session 1 - March 2019
Paulo Clavijo
 
Adtech scala-performance-tuning-150323223738-conversion-gate01
Adtech scala-performance-tuning-150323223738-conversion-gate01Adtech scala-performance-tuning-150323223738-conversion-gate01
Adtech scala-performance-tuning-150323223738-conversion-gate01
Giridhar Addepalli
 
Adtech x Scala x Performance tuning
Adtech x Scala x Performance tuningAdtech x Scala x Performance tuning
Adtech x Scala x Performance tuning
Yosuke Mizutani
 
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
Tier1 app
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 

More Related Content

Similar to How to strengthen the ctf web field for beginners(English)

English_Resume_KexiongSong
English_Resume_KexiongSongEnglish_Resume_KexiongSong
English_Resume_KexiongSong
Kexiong Song
 
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docxDesign Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
carolinef5
 
ASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big DealASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big Deal
Jim Duffy
 
Bcc exceed ste_cert
Bcc exceed ste_certBcc exceed ste_cert
Bcc exceed ste_cert
Susan L.
 
Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)
Thinkful
 

Similar to How to strengthen the ctf web field for beginners(English) (20)

HOW TO START (ANYTHING ABOUT CODE).pptx
HOW TO START (ANYTHING ABOUT CODE).pptxHOW TO START (ANYTHING ABOUT CODE).pptx
HOW TO START (ANYTHING ABOUT CODE).pptx
 
Down With JavaScript!
Down With JavaScript!Down With JavaScript!
Down With JavaScript!
 
Intro To AOP
Intro To AOPIntro To AOP
Intro To AOP
 
English_Resume_KexiongSong
English_Resume_KexiongSongEnglish_Resume_KexiongSong
English_Resume_KexiongSong
 
How to get started with Site Reliability Engineering
How to get started with Site Reliability EngineeringHow to get started with Site Reliability Engineering
How to get started with Site Reliability Engineering
 
Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"Viktor Turskyi "Effective NodeJS Application Development"
Viktor Turskyi "Effective NodeJS Application Development"
 
Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Как да станем софтуерни инженери и да стартираме ИТ бизнес?Как да станем софтуерни инженери и да стартираме ИТ бизнес?
Как да станем софтуерни инженери и да стартираме ИТ бизнес?
 
Tdd is not about testing (C++ version)
Tdd is not about testing (C++ version)Tdd is not about testing (C++ version)
Tdd is not about testing (C++ version)
 
Advanced web application architecture - Talk
Advanced web application architecture - TalkAdvanced web application architecture - Talk
Advanced web application architecture - Talk
 
Codeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansaiCodeception Testing Framework -- English #phpkansai
Codeception Testing Framework -- English #phpkansai
 
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
'Effective node.js development' by Viktor Turskyi at OdessaJS'2020
 
Code Refactoring
Code RefactoringCode Refactoring
Code Refactoring
 
Universal apps lightning talk
Universal apps lightning talk Universal apps lightning talk
Universal apps lightning talk
 
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docxDesign Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
Design Document – Week 1 – ProposalCourse ID IT 491 CAPSTONE .docx
 
ASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big DealASP.NET 5: What's the Big Deal
ASP.NET 5: What's the Big Deal
 
Bcc exceed ste_cert
Bcc exceed ste_certBcc exceed ste_cert
Bcc exceed ste_cert
 
Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)Intro javascript build a scraper (3:22)
Intro javascript build a scraper (3:22)
 
TDD and Simple Design Workshop - Session 1 - March 2019
TDD and Simple Design Workshop - Session 1 - March 2019TDD and Simple Design Workshop - Session 1 - March 2019
TDD and Simple Design Workshop - Session 1 - March 2019
 
Adtech scala-performance-tuning-150323223738-conversion-gate01
Adtech scala-performance-tuning-150323223738-conversion-gate01Adtech scala-performance-tuning-150323223738-conversion-gate01
Adtech scala-performance-tuning-150323223738-conversion-gate01
 
Adtech x Scala x Performance tuning
Adtech x Scala x Performance tuningAdtech x Scala x Performance tuning
Adtech x Scala x Performance tuning
 

Recently uploaded

First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
Neo4j
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns
 

Recently uploaded (20)

TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERROR
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx2024 RoOUG Security model for the cloud.pptx
2024 RoOUG Security model for the cloud.pptx
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Accelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with PlatformlessAccelerate Enterprise Software Engineering with Platformless
Accelerate Enterprise Software Engineering with Platformless
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
How Does XfilesPro Ensure Security While Sharing Documents in Salesforce?
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...
 
Prosigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns: Transforming Business with Tailored Technology Solutions
Prosigns: Transforming Business with Tailored Technology Solutions
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 

How to strengthen the ctf web field for beginners(English)

  • 1. How to strengthen the CTF Web field for beginners 2019/10/16 Panasonic Corporation Product Security Center Verification Measures Department Tomohisa Maeda 『Mix Leap Study #52 - The forefront of cyber security 』
  • 2. Self-introduction ■name Maeda Tomohisa Twitter: @kazkiti_ctf ■Career Graduated from Graduate School of Mechanical Engineering Joined Panasonic Corporation ・ Design/manufacturing quality consultant 9 years ・ System Engineer(SIer) 2 years ・ Security engineer 5.5 years (Incumbent) Engaged in vulnerability diagnosis, threat analysis, design support, etc.
  • 3. Career and achievements such as CTF ■Career and achievements such as CTF second place second place championship 2016 2017 2018 20192015 Entered SECCON domestic finals Medical security hacking contest in Japan Started CTF in Japan Started CTF around the world Started bug bounty Established our CTF team (Pwnasonic)
  • 4. Questionnaire 1. Do you know CTF? 2. Have you ever participated in CTF?
  • 5. Why did I decide to do CTF? Since becoming a security engineer Year zero~ Actually, I was a beginner who didn't even know Cookie … ↓ Acquisition of basic technical skills through vulnerability diagnosis work First year~ Promoting vulnerability diagnosis work by one person … I was always worried “Isn't it leaking the vulnerability?” I felt “Web application vulnerability diagnosis is deep” ↓ Further technical improvement is required! Concentrate resources on web apps! (choice and focus) ↓ The CTF Web field was selected as a means of growth for “enjoying technical improvements and utilizing them in business”
  • 6. When I started the CTF Web field ■Features of the CTF Web field ・The range of questions is too wide! ・There are too many types of vulnerabilities! ↓ ・ So I don't know where to start! PHP Python Node.js MySQL SQLite postgresql SSTI XSS Apache nginx LFI RFI SSRF html css javascript XXE LDAP SQL OAuth2.0 SAML Ruby java CVE OIDC JSON windows Linux IIS Perl serialization XML MSSQL oracleSSO JWT NoSQLXPATH AWS S3 Cloudfront Lambda
  • 7. The study method I tried for the time being (failure story) ■My failure story ・ For the time being, the question frequency is high “Let's be able to solve 100% of the SQL injection problem!” I started studying. ↓ ・ However, SQL injection is deep and falls into a quagmire ...
  • 9. ■Purpose Purpose/Means/Resource reservation ■Resource reservation Prepare to dedicate every weekend to CTF ※CTF is mostly held on weekends Do CTF around the world to do the numbers Sites that summarize CTF schedules around the world http://ctftime.org ■Means Improve technical skills and utilize them in business
  • 10. ■Goal setting ※How far do you want to be able to solve? Goal setting / quantification The difficulty level (Accuracy rate[%]) Number of teams that solved the problem Number of teams that solved one or more questions in total Technical ability to solve 0-1% Technical ability to solve 1-5% Technical ability to solve 5-10% Technical ability to solve 10-20% Technical ability to solve 20-40% Technical ability to solve 40-100% World TOP10 Japan top class Senior Intermediate Beginner Inexperienced CTF ■Grasping current ability ※ Measured and defined several times My ability at that time was all solved at the difficulty level (correct answer rate 30%) ⇒ Beginner level ■Approximate relationship between technical skills and difficulty ※ Measured and defined several times =
  • 11. Enter the correct answer rate in write-up (solution), and grasp your ability In this way I wrote the correct answer rate and was grasping my ability every day. 【 advantage 】 ・It became easier to take countermeasures because the strengths and weaknesses of the field were identified with objective indicators.
  • 13. Technical ability to solve 40-100% Inexperienced CTF
  • 14. What should we do to be able to solve the accuracy rate of 40-100%? ■Inexperienced CTF ・ People who do not have enough security technology ・ People who have IT-related technology such as development technology (Example of development technology) ・Understanding the basics of the website (html, css, javascript, etc.) ・Ability to read and understand programming languages ・How to use git ・Setting of HTTP server (Apache / nginx etc.)
  • 15. Example problem:TokyoWesterns CTF 4th 2018 (1/2) The following PHP source code can be obtained by accessing the URL [Goal] Flag is displayed
  • 16. Example problem:TokyoWesterns CTF 4th 2018 (2/2) 【Breakthrough point】 Ability to read code ・ Set auth to action parameter ・ Set the hashed_password parameter to c019f6e5cd8aa0bbbcc6e994a54c757e ・ Set user or pass parameter to empty (do not overwrite hashed_password) [Goal] Flag is displayed (Detailed explanation)https://ctftime.org/writeup/10891
  • 17. Technical ability to solve 20-40% Beginner
  • 18. What should we do to be able to solve the accuracy rate of 20-40%? ■Issues that require knowledge/investigation of security ・CTF for beginners (picoCTF, etc.) ・Same problem as previous questions (check write-up) ※Once a question is asked, it becomes a known problem even if the difficulty level is high ・Books (Security Contest Challenge Book etc.) ・Known famous vulnerabilities ※Ability to investigate attack methods of vulnerabilities with CVE and solve them in time ※Persons in charge of incident response work are good at
  • 19. Example problem:ENCRYPT CTF 2019 (1/2) When accessing the URL, the following html response is obtained 【Breakthrough point】 Basic knowledge of security ・Since it is 32 hexadecimal digits, it is MD5 of the hash value ・Since MD5 cannot be calculated backwards, it must be searched lexicographically.
  • 20. Example problem:ENCRYPT CTF 2019 (2/2) Since the previous value was 100, Let's calculate and send MD5 values ??from 0 to 101! [Goal] Flag was obtained (Detailed explanation)https://ctftime.org/writeup/14332
  • 21. Have you stopped around here? Let's aim for the next level soon!
  • 22. Technical ability to solve 10-20% Intermediate
  • 23. What should we do to be able to solve the accuracy rate of 10-20%? ■Environmental construction ability 1.Problems that cannot be solved without an environment (e.g.1)SSRF problem ⇒ DNSRebinding ※DNS server required (e.g.2)XSS problem ※HTTP server required 2.The difficulty can be reduced if the environment is built and trial and error (e.g.1) Problems with source code ※Trial and error can be done in a server ⇒PHP,Python,Node.js etc. (e.g.2)SQL Injection ※A trial and error is possible by setting up a SQL server ■Measures ・Set up an EC2 server with an AWS account ※1 year free ・Domain registration with DNS ※ About 100 yen per year ・Know how to set up servers in various languages using container technology (Docker, etc.) Try various servers and make trial and error!important
  • 24. Example problem:angstromCTF 2019 (1/1) 【Breakthrough point】 ・Once Node.js server was set up, it was trial and error in the environment of NoSQL injection. (Detailed explanation)https://ctftime.org/writeup/14922
  • 25. Technical ability to solve 5-10% Senior
  • 26. What should we do to be able to solve the accuracy rate of 5-10%? ■Comprehensive power 1.BlackList-Bypass problems ・SQL injection ・OS command injection ・SSTI(Server Side Template Injection) ・Arbitrary code execution ■Measures ・Examine the functions in advance in a comprehensive manner ・Check specifications/RFC in advance
  • 28. Example problem:TokyoWesterns CTF 4th 2018(2/2) 【Breakthrough point】 ・ I was exhaustively examining functions that could execute arbitrary code from SSTI [Goal] Flag was obtained Blacklist (Detailed explanation)https://ctftime.org/writeup/10895
  • 29. Technical ability to solve 1-5% Japan top class
  • 30. What should we do to be able to solve the accuracy rate of 1-5%? ■Ability to enumerate attack scenarios ・Rare vulnerabilities (difficult to find) ・XSS and CSS injection by relative path overwrite attack ・XSS by Cache-Poisoning ・LDAP injection ・Complex problems with other fields such as binary/crypto ■Measures ・Keep all vulnerabilities known and discoverable ・Collecting cutting-edge information on a daily basis
  • 31. Example problem:Meepwn CTF Quals 2019 (1/2)
  • 32. Example problem:Meepwn CTF Quals 2019 (2/2) [Goal] Flag was obtained Final attack URL 【Breakthrough point】 ・ Understand XSS by relative path overwrite attack, which is a rare vulnerability ※After that, create an attack URL according to the conditions. (Detailed explanation)https://ctftime.org/writeup/10442
  • 33. Technical ability to solve 1-5% World TOP10
  • 34. What should we do to be able to solve the accuracy rate of 0-1%? Throw away something important in life! Every day, I’ll devote myself thoroughly I'll try my best. First break through one point focusing on some vulnerabilities XSS Payload <script>alert(1)</scrip> What is XST ... Danger
  • 35. Example problem:Tokyo Westerns CTF 3rd 2017 (1/2) Accessing the HTTP server via the proxy server, The source code is given as follows Also, the flag location is under the network of the Web server Located on another local server 【Breakthrough point】 ・2 years of study and information gathering every day focusing on XSS ・It took 14 hours to solve this question ... ・I feel like I lost something important in my life ...
  • 36. Example problem:Tokyo Westerns CTF 3rd 2017 (2/2) ▼Flow to final attack code completion Read because the Python code was given ↓ Found XSS vulnerability in Referer header ※Usually, the Referer header is URL encoded, so XSS is not possible. However, XSS was possible because of a special proxy. ↓ Since the location of Flag is a local IP address, Brute force the local IP address using XSS Network investigation and found that 192.169.0.4 exists ↓ Again with XSS, for obtaining the flag of 192.168.0.4 Complete the final attack code (Detailed explanation)https://ctftime.org/writeup/7461
  • 37. まとめ Make good use of CTF with pleasure Let's improve our technical skills!
  • 38. Thank you for listening.