Notes from Troy Hunt's Hack Yourself First workshop

Troy Hunt (@troyhunt, blog) had a great, very hands-on 2-day workshop about webapp security at NDC Oslo. Here are my notes.

Highlights - resources

Personal security and privacy

Site security

Breaches etc.

To follow




  • - an example app with many vulnerabilities
  • Note: maximizing your browser window will share info about your screen size, which might help to identify you
  • - Troy's online DB  of hacked accounts


  • check robots.txt to know what to access

Example Issues

  • no https on login page
  • insecure psw requirements
  • cookies not secure flag => sent over http incl. AuthCookie)
  • psw sent in clear text in confirm email
  • user enumeration, f.eks. an issue with AdultFriendFinder - entry someone’s email to login to find out whether they’ve an account
  • post illegal chars, get them displayed => injection
  • no anti-automation (captcha)
    • login confirm. email & autom. creating 1m accounts => sending 1m emails => pisses ppl off, likely increase one’s spam reputation (=> harder to send emails)
  • brute-force protection?

### XSS

Reflected XSS: display unescaped user input

  • Encoding context: HTML, JS, CSS … have diff. escape sequences for the same char (e.g. <) - look at where they’re mixed
  • Check the encoding consistency - manual encoding, omitting some chars
  • JS => load ext resources, access cookies, manipulate the DOM

Task: stal authCookie via search

### SQL injection

Error-based injection: when the DB helps us by telling us what is wrong -> use ti learn more and even show some data

Ex.: <—— supercarid is a column name

  • orderby=(select * from userprofile) …
  • learn about DB sructure, force an exception that shows the valueex.: (select top 1 cast(password) as int from userprofile) => “Conversion failed for the nvar value ‘passw0rd …’"


  • think of SQL commands that disclose structure: sys.(tables,columns), system commands
  • enumerate records: nest queries: select top X ows asc then top 1 rows from that desc
  • write out how you think the query works / is being constructed internally 
  • cast things to invalid types to disclose values in err msgs (or implicit cast due to -1 ..)

#### Defenses

  • whitelist input data types (id=123 => onlyallow ints)
  • enumerable values - check against an appropr. whitelist
  • if the value is stored - who uses it, how? making query/insertion safe
  • permissions: give read-only permissions as much as possible; don’t use admin user from your webapp

### Mobile apps

  • Look at HTTP req for sensitive data - creds, account, …
  • Apps may ignore certificate validations
  • In your app: param tampering, auth bypass, direct object refs
  • Weak  often: airlines, small scale shops, fast foods, …


  • certificate pining - the app has the fingerprint of the server cert. hardcoded and doesn’t trust even “valid” MITM certificate (banks, dropbox, …)x

### CSRF Cross-Site Request Forgery

= make the user send a request => their auth cookie included

  • async Ajax req to another site forbidden but that doesn’t apply to normal post


  • anti-forgery tags

### Understanding fwrk disclosure

  • How disclosed:

  • headers
  •  familiar signs - jsessionid cookie for java, …
  • The default error and 404 responses may help to recognize the fwr
  • HTML code (reactid), “.do” for Sttruts
  • implicit: order of headers (Apache x IIS), paths (capitalized?), response to improper HTTP version/protocol, 
    • => likely still possible to figure out the stack but not possible to simple search for fwrk+version

### Session hijacking

Steal authentication cookie => use for illegal requests.

  • Persistence over HTTP of auth., session: cookie, URL (but URL insecure - can be shared)
  • Session/auth ID retrieval: insecure transport, referrer, stored in exceptions, XSS
  • Factors limiting hijacking: short duration expiry, keyed to client device / IP (but IPs may rotate, esp, on mobile devices => be very cautious)



### Cracking passwords

Password hashing: 

  • salt: so that 2 ppl choosing the same psw will have a different hash => cracking is # salts * # passwords inst. of just N
  • has cracking tips:
    • character space [a-zA-Z0-9]
    • Dictionary: passw0rd, …
    • Mutations: manipulation and subst. of characters


  • 1Password , LastPass, ….
  • GPU ~ 100* faster than CPU

#### Ex: Crack with hashcat

common psw dict + md5-hashed passwords => crack

./hashcat-cli64.bin --hash-type=0 StratforHashes.txt # 23M psw dict -> Recovered.: 44 326/860 160 hashes [obs duplications] in 4 min (speed 135.35k plains)

Q: What dictionary we use? Do we apply any mutations to it?

### Account enumeration

  • = Does XY have an account?
  • Multiple vectors (psw reset, register a new user with the same e-mail, …)
  • Anti-automation: is there any? It may be inconsistent across vectors
  • Does it matter? (<> privacy needs)
  • How to “ask” the site and how to identify + and - responses?
  • Timing attacks: distinguish positive x negative response based on the latency differing between the two


Confidentiality, Integrity, Authenticity

Traffic hijacking: - wifi hotspot with evil capabilities

    • monitor probe requests (the phone looks for networks it knows), present yourself as one of those, the phone connects autom. (if no encryption)

    • Consider everything sent over HTTP to be compromised
    • Look at HTTPS content embedded in untrusted pages (iframes, links) - e.g. payment page embedded in http


    ### Content Scurity Policy header See e.g. headers

    w/o CSP

    • anything can be added to the page via a reflected XSS risk
    • Anyth, can be added to the DOM downstream (on a proxy)

    With CSP the browser will only load resources you white-list; any violations can be reported

    Use e.g. to create it and the report to watch for violations to fine tune it.

    ### SQL injection cont'd

    (Yesterday: Error-Based)

    #### Union Based SQLi

    Modify the query to union whatever other data and show them. More data faster than error-based inj.

    Ex.: :  V12 -> `V12' union select voteid, comments collate SQL_Latin1_General_CP1_CI_AS from vote-- `

    #### Blind Boolean (laborious)

    Blind inj.: We can’t always rely on data being explicitly returned to the UI => ask a question, draw a conclusion about the data.

    Ex: -> 

    ordedby => case when (select count(*) from userprofile) > 1 then powerkw else topspeedkm end


    Extract email: Is ascii of the lowercase char #1 < ascii of m ?

    Automation: SqlMap

    #### Time based blind injection

    When no useful output returned but yes/no responses differ significantly in how much time they take. F.ex. ask the db to delay the OK response.

    MS SQL: IF ‘b’ > ‘a’ WAITFOR DELAY ’00:00:05'

    ### Brute force attacks

    • Are there any defences? Often not
    • How are defences impl?
      • block the req resources
      • block the src IP
      • rate limit (by src IP)

    ### Automation

    • penetration testing apps and services such as Netsparker, WhiteHatSec
    • targets identification: shodan, googledorks, randowm crawling
    • think aout the actions that adhere to a pattern - sql injection, fuzzing (repeat a req. trying diff. values for fields - SQLi, …), directory enumeration
    • automation can be used for good - test your site
    • tip: have autom. penetration testing (and perhaps static code analysis) as a part fo your build pipeline

    Task: Get DB schema using sqlmap (see python2.7 --help)

    ### Protection

    Intrusion Detection System (IDS) - e.g. Snort

    Web Application Firewall (WAF) - e.g. CloudFare ($20/m)

    ### Various

    Tags: security

    Copyright © 2024 Jakub Holý
    Powered by Cryogen
    Theme by KingMob