H3llo W0rld

Professional Hacker™ Training Course

elttam

In this course you will learn
  • How to identify threat during software design

  • How to think from perspective of a hacker

  • How to test a software for vulnerabilities

  • How to measure impact of a vulnerability

Welcome

  • Who are you?

  • What do you do?

  • Why are you here?

This course is not about

  1. Tools' man-pages

  2. Outdated software vulnerabilities

  3. Hacking unrealistic environments.

What is the course about?

Give a man a hacking-tool, he’ll hack for a day. Teach him how to hack, and he’ll hack for a lifetime

Syllabus

  1. Hello world

  2. Know where to start

  3. Create your hacker mindset

  4. Identify and exploit software vulnerabilities

  5. Hacking contest (CTF)

1. Hello world

Similar to a hello-world program, in the first chapter you will go through end-to-end process of identifying, measuring, reporting and patching a security vulnerability.

2. Know where to start

Identify low hanging fruit, learn novel techniques to uncover sensitive meta-data and map an attack surface of a program.

3. Create your hacker mindset

Understand the fundamental mindset behind hacking and identify threats of software features during the design phase.

4. Identify and exploit software vulnerability

Learn how to identify a vulnerability and measure its impact.

  • We choose Web Application as our target. Web is a familiar environment, hence a great technology to start.

  • The approach can be applied to other technologies (mobile, cloud, etc.)

We examine vulnerabilities in

  • Session management

  • Output rendering

  • User interface

  • URL and file handling

  • Business logic

  • Second order bugs

Hacking contest (CTF)

libctf1 libctf2

web bluecar web lazysusan

Course

Structure

Four parts per chapter
  1. Theory: Whats and Whys

  2. Hands-on: Practice real-world examples

  3. Exercise: Extra exercises to practice more

  4. References: Self-study materials and resources.

Requirements

  1. Passion

  2. Basic understanding of network protocols

  3. Basic understanding of web protocols

  4. Basic UNIX commands

  5. Laptop

tph certificate

Evaluation metrics report

tph course metrics

Are you ready?

Congratulations!

You are hired! 😊

Your first gig

web bluecar
  • BlueCar Pty Ltd was acquired by the Big Enterprise. The Big Enterprise wants to assess the security of BlueCar web application, before they connect it to their network.

  • Help the Big Enterprise to assess the security of the BlueCar website: https://bluecar.tph.libctf.so

Let’s Begin

tph mascot

  1. Follow a phased approach

  2. Use no tools other than a browser

  3. Identify, measure, report and patch

diag 4a5610f11c49bc150a72d475f7e7673c
Figure 1. Phases

Task 1

Get yourself familiar with your target

  1. Surf through the website and make yourself familiar with its functions.

  2. Try all functionalities e.g. Links, Submit forms, Search, Subscribe, …​

  3. Create a list of functionalities.

Task 2

Go behind the UI

In your browser open Network Monitor. It is part of Web Console.

  • Firefox: Ctrl + Shift + Q or F12

  • Chrome: F12

Click on different links and observe:

  • HTTP request

  • HTTP request header

  • HTTP response

  • HTTP response header

  • Response time

Task 3

Be a curious user and play around

  1. Use Search and observe the URL

  2. Enter the following values in the URL: make=Toyota, model=Sedan, price=100

  3. Observe the response

  4. Think! What can you do with this issue?

Task 4

Put your black hat on and play around

  1. Enter the following value in the URL: model=<br><a href=http://attacker>Win this Car, Click HERE</a>!

  2. Observer the response.

  1. Now try this: model=<script>alert('ATTACK')</script>

  2. Observe the response.

Congratulations

You have identified your first security vulnerability!

Output rendering

  • Defect name: Cross-Site Scripting (XSS)

  • Vulnerability type: Output rendering

The software does not neutralise or incorrectly neutralises untrusted input before it is placed in output.

1 2 3 4 5 6 7 8 9 10 11 12
<div class="wrap-col"> <p class="price">$<?php echo $_GET['price'] ?></p> <ul class="specs"> <li><strong>Make</strong><span> <?php echo $_GET['make'] ?> </span></li> <li><strong>Model</strong><span> <?php echo $_GET['model'] ?> </span></li> [SNIP] </ul> </div>

Task 5

Show-off your dark skills

  1. Craft a URL that extract the cookie and sends it to you.

  2. Craft a good social engineering message and include the URL.

  3. Find a way to contact a BlueCar staff and deliver the message.

  4. Wait and be hopeful!

Task 6

Tell the big boss

  1. How would you explain this vulnerability to a non-technical Big Enterprise manager?

  2. How would you demo a hypothetical attack?

Task 7

Talk in business language

  1. What is the likelihood of a successful attack? And Why?

  2. What is the impact of a successful attack? And Why?

elttam Risk Matrix
Figure 2. Risk rating matrix

Risk rating

The likelihood of this vulnerability is Unlikely as although it is publicly exploitable, for a successful user compromise a degree of social engineering required.

The impact of this vulnerability is Moderate as it can be exploited to compromise a small-set of users. Sensitive information such as authentication tokens, username and password can be stolen.

As a result, this vulnerability is at a Medium risk.

Task 8

Sleeves up! Time to fix

How should Big Enterprise patch this vulnerability?

  1. Encode the output

  2. Do not accept html tags

  3. Allow alphanumeric characters only

  4. Add security HTTP response headers to the response

Job done!

Your first gig was successfully delivered!

But wait a sec…​

We have a feature that allows our customers to write reviews for cars. We are going to let them enter HTML tags. Your security patch has broken the application functionality

— A developer from Big Enterprise

Practice more

  1. Review OWASP XSS Filter Evasion Cheatsheet

  2. Create your own XSS cheatsheet

  3. Test your cheatsheet against https://xss-game.appspot.com

References

penetration testing weidman book cover

Penetration Testing: A Hands-On Introduction to Hacking

By Weidman.

the web application hackers handbook 2ed cover

The Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws 2nd Edition

By Dafydd Stuttard, Marcus Pinto.

the tangled web cover

The Tangled Web: A Guide to Securing Modern Web Applications

By Zalewski.

Thank you

Any questions?

Contact

SydneyMelbourne

(+61) 02 8004 5952

20-40 Meagher Street Chippendale, NSW

(+61) 03 9005 1058

36-38 Gipps Street Collingwood, VIC