Have you ever wondered how a day at work looks like for a professional hacker? In this talk, Dennis Stötzel will give you an introduction to web application security and show you what a security expert does for a living.
[DevDay2018] Hacking for fun and profit - By: Dennis Stötzel, Head of Security Division at mgm technology partners Vietnam
1. München/HQ Bamberg Berlin Đà Nẵng Dresden Grenoble Hamburg Cologne Leipzig Nuremberg Prague Washington Zug
Hacking for fun and profit
A day in the life of a professional hacker
Dennis Stötzel
20/04/18
10. 20.04.2018 11
hostapd: Create, configure and open an access point
dnsmasq: DNS forwarding and DHCP
Proxy
run all HTTP traffic through the proxy
easily control the content of HTTP requests
Strip security headers: Take away unwanted HTTP headers
Content-Security-Policy
Strict-Transport-Security
Caching / compression
…
The Parts
15. 20.04.2018 17
Steal your sensitive data
passwords
banking data
…
Inject REAL malware into your browser
Abuse vulnerabilities in older browsers (or plugins like Flash)
gain control of your machine
make your computer a zombie
What else COULD have happened?
18. 20.04.2018 20
Do not blindly connect to any free wifi!!!!!1111
The User
19. 20.04.2018 21
Do not blindly connect to any free wifi!!!!!1111
Prefer websites that use SSL
Don’t do sensitive transactions (like online banking) over an unknown wifi connection
Be careful when a website is suddenly HTTP instead of HTTPS
Use a VPN
The User
20. 20.04.2018 22
Use SSL/TLS
an evil AP cannot inject into an encrypted connection
Use HSTS (HTTP Strict Transport Security)
to defend against SSL stripping
Strict-Transport-Security: max-age=31536000
https://www.owasp.org/index.php/HTTP_Strict_Transport_Security_Cheat_Sheet
Use HSTS preloading
https://hstspreload.org
The Websites
21. 20.04.2018 23
A day in the life of a hacker…
Morning: Make some money at a developer conference
Afternoon: Work for the customer
Evening
22. 20.04.2018 24
whoami
Dennis Stötzel
Managing Principal
Security Team
mgm technology partners Vietnam
Born in Germany
Lived in Bolivia (South America), Germany, Spain, Vietnam
Studied Mathematics in Munich, Germany
6 years security consulting and development
Specializations in security
Penetration tests
Consultings around Secure Software Development
Lifecycle (SDLC)
Source code analysis
26. 20.04.2018 28
We build software:
Web and mobile
Large enterprise customers in Germany
We make software secure:
Security consulting
Penetration testing
Developer training
27. 20.04.2018 29
Works only with the customer's consent
only on an exactly defined scope
only in an exactly defined time period
No illegal activities
The Work of a Professional Penetration Tester
33. 20.04.2018 35
SQL Injection Consequences
Several attacks can be conducted:
UNION SELECT balance FROM account;
; UPDATE interest SET ...
; DELETE ...
; INSERT ...
and access to the file system:
One vulnerable web application may compromise the security of the whole system
CREATE TABLE footable(data longblob); // create BLOB table
INSERT INTO footable(data) VALUES(0x4d5a90…610000); // _ fill table with binary
UPDATE footable SET data=CONCAT(data, 0xaa270000…000000); // _ data
[…]; // _
SELECT data FROM footable INTO DUMPFILE 'C:/WINDOWS/Temp/nc.exe'; // drop finished trojan
34. 20.04.2018 36
Prepared Statements
Stored Procedures
Defense-in-Depth
Least privilege connections (database user having minimal access rights)
separated table spaces
Input Encoding
If dynamic SQL statements are required:
SQL Injection - Countermeasures
string strSanitizedInput = strInput.Replace("'", "''");
statement.executeQuery("SELECT * FROM MOVIES WHERE TITLE='" +
StringEscapeUtils.escapeSql("McHale's Navy") + "'"); // org.apache.commons.lang
37. 20.04.2018 39
A day in the life of a hacker…
Morning: Make some money at a developer conference
Afternoon: Work for the customer
Evening: Have a beer & hire some people
39. 20.04.2018 41
Curiosity for web application security
Understanding of web and browser technologies
HTTP, HTML, JS, SQL, etc.
Good English knowledge
University degree
Profile