ncc hackers - creative digital careers · ncc hackers. dinis cruz, chief information security...
TRANSCRIPT
![Page 1: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/1.jpg)
NCC HackersDinis Cruz, Chief Information Security Officer
15 November 2017
1
![Page 2: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/2.jpg)
Quick Quiz
2
What’s the difference?
Which language?
What is it?
![Page 3: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/3.jpg)
Recap on last session
3
![Page 4: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/4.jpg)
XSS
![Page 5: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/5.jpg)
XSS
5
● In the last session we completed a challenge on XSS (Cross Site Scripting)
● This is a technique used by hackers
● XSS is one of the most common weaknesses in software development
● XSS is a code injection attack that allows an attacker to execute malicious JavaScript in
another user's browser
● An attacker does not directly target his victim
■ They exploit a vulnerability in a website that the victim visits and gets the
website to deliver the malicious JavaScript for them
■ The malicious JavaScript appears to be a legitimate part of the website, the
website acts as an unintentional accomplice to the attacker
![Page 6: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/6.jpg)
Recap on last session
6
● Last session we completed a challenge on XSS (Cross Site Scripting)
● This is a technique used by hackers
![Page 7: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/7.jpg)
Any questions?
![Page 8: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/8.jpg)
The Challenge
8‘XXS in practice’
![Page 9: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/9.jpg)
How to hack an API…
...and get away with it
![Page 10: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/10.jpg)
Hacking an API
10
We quickly took you through hacking an API, let’s spend some more time
on that...● API Security is something a company needs to take seriously
● Nobody is going to bail you out if your customers’ credit card numbers are stolen, or your
customers’ users’ personal dating data is published on a torrent website
![Page 11: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/11.jpg)
Hacking an API
11
● If you’re going to attack an API, then you must understand its perimeters
○ Most APIs use the HTTP protocol
○ HTTP is a text-based protocol which is easy to read
![Page 12: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/12.jpg)
Secure APIs
12
● An API isn’t secure just because it uses SSL (Secure Sockets Layer) or OAuth (Open Authorisation)
● Developers need to make sure that their APIs keep users’ data (usernames and passwords) secure, which means creating a layer of separation between their information and the client
● A hacker will be looking for security standards that aren’t used correctly
![Page 13: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/13.jpg)
It happened to us...
13
![Page 14: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/14.jpg)
The ‘hacker’s blog
14
![Page 15: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/15.jpg)
The ‘hacker’s blog
15
![Page 16: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/16.jpg)
He went into every detail!
http://www.ifc0nfig.com/moonpig-vulnerability/
16
![Page 17: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/17.jpg)
The Challenge
17‘find a way to login as admin’
![Page 18: NCC Hackers - Creative Digital Careers · NCC Hackers. Dinis Cruz, Chief Information Security Officer. 15 November 2017. 1. Quick Quiz. 2 What’s the difference? Which language?](https://reader030.vdocument.in/reader030/viewer/2022040722/5e3054912991ba71c86ab9bc/html5/thumbnails/18.jpg)
Find us on this Slack organisation
https://join.slack.com/t/ncc-hackers/signup