The Holy Java

Building the right thing, building it right, fast

Notes from Troy Hunt’s Hack Yourself First workshop

Posted by Jakub Holý on June 17, 2015

Troy Hunt (@troyhunt, blog) had a great, very hands-on 2-day workshop about webapp security at NDC Oslo. Here are my notes.

Highlights – resources

Personal security and privacy

Site security

Breaches etc.

To follow




  • – an example app with many vulnerabilities
  • Note: maximizing your browser window will share info about your screen size, which might help to identify you
  • – Troy’s online DB  of hacked accounts


  • check robots.txt to know what to access

Example Issues

  • no https on login page
  • insecure psw requirements
  • cookies not secure flag => sent over http incl. AuthCookie)
  • psw sent in clear text in confirm email
  • user enumeration, f.eks. an issue with AdultFriendFinder – entry someone’s email to login to find out whether they’ve an account
  • post illegal chars, get them displayed => injection
  • no anti-automation (captcha)
    • login confirm. email & autom. creating 1m accounts => sending 1m emails => pisses ppl off, likely increase one’s spam reputation (=> harder to send emails)
  • brute-force protection?

### XSS

Reflected XSS: display unescaped user input

  • Encoding context: HTML, JS, CSS … have diff. escape sequences for the same char (e.g. <) – look at where they’re mixed
  • Check the encoding consistency – manual encoding, omitting some chars
  • JS => load ext resources, access cookies, manipulate the DOM

Task: stal authCookie via search

### SQL injection

Error-based injection: when the DB helps us by telling us what is wrong -> use ti learn more and even show some data

Ex.: <—— supercarid is a column name

  • orderby=(select * from userprofile) …
  • learn about DB sructure, force an exception that shows the valueex.: (select top 1 cast(password) as int from userprofile) => “Conversion failed for the nvar value ‘passw0rd …’”


  • think of SQL commands that disclose structure: sys.(tables,columns), system commands
  • enumerate records: nest queries: select top X ows asc then top 1 rows from that desc
  • write out how you think the query works / is being constructed internally 
  • cast things to invalid types to disclose values in err msgs (or implicit cast due to -1 ..)

#### Defenses

  • whitelist input data types (id=123 => onlyallow ints)
  • enumerable values – check against an appropr. whitelist
  • if the value is stored – who uses it, how? making query/insertion safe
  • permissions: give read-only permissions as much as possible; don’t use admin user from your webapp

### Mobile apps

  • Look at HTTP req for sensitive data – creds, account, …
  • Apps may ignore certificate validations
  • In your app: param tampering, auth bypass, direct object refs
  • Weak  often: airlines, small scale shops, fast foods, …


  • certificate pining – the app has the fingerprint of the server cert. hardcoded and doesn’t trust even “valid” MITM certificate (banks, dropbox, …)x

### CSRF Cross-Site Request Forgery

= make the user send a request => their auth cookie included

  • async Ajax req to another site forbidden but that doesn’t apply to normal post


  • anti-forgery tags

### Understanding fwrk disclosure

  • How disclosed:
  • headers
  •  familiar signs – jsessionid cookie for java, …
  • The default error and 404 responses may help to recognize the fwr
  • HTML code (reactid), “.do” for Sttruts
  • implicit: order of headers (Apache x IIS), paths (capitalized?), response to improper HTTP version/protocol, 
    • => likely still possible to figure out the stack but not possible to simple search for fwrk+version

### Session hijacking

Steal authentication cookie => use for illegal requests.

  • Persistence over HTTP of auth., session: cookie, URL (but URL insecure – can be shared)
  • Session/auth ID retrieval: insecure transport, referrer, stored in exceptions, XSS
  • Factors limiting hijacking: short duration expiry, keyed to client device / IP (but IPs may rotate, esp, on mobile devices => be very cautious)



### Cracking passwords

Password hashing: 

  • salt: so that 2 ppl choosing the same psw will have a different hash => cracking is # salts * # passwords inst. of just N
  • has cracking tips:
    • character space [a-zA-Z0-9]
    • Dictionary: passw0rd, …
    • Mutations: manipulation and subst. of characters


  • 1Password , LastPass, ….
  • GPU ~ 100* faster than CPU

#### Ex: Crack with hashcat

common psw dict + md5-hashed passwords => crack

./hashcat-cli64.bin –hash-type=0 StratforHashes.txt # 23M psw dict -> Recovered.: 44 326/860 160 hashes [obs duplications] in 4 min (speed 135.35k plains)

Q: What dictionary we use? Do we apply any mutations to it?

### Account enumeration

  • = Does XY have an account?
  • Multiple vectors (psw reset, register a new user with the same e-mail, …)
  • Anti-automation: is there any? It may be inconsistent across vectors
  • Does it matter? (<> privacy needs)
  • How to “ask” the site and how to identify + and – responses?
  • Timing attacks: distinguish positive x negative response based on the latency differing between the two


Confidentiality, Integrity, Authenticity

Traffic hijacking: – wifi hotspot with evil capabilities

    • monitor probe requests (the phone looks for networks it knows), present yourself as one of those, the phone connects autom. (if no encryption)
  • Consider everything sent over HTTP to be compromised
  • Look at HTTPS content embedded in untrusted pages (iframes, links) – e.g. payment page embedded in http


### Content Scurity Policy header See e.g. headers

w/o CSP

  • anything can be added to the page via a reflected XSS risk
  • Anyth, can be added to the DOM downstream (on a proxy)

With CSP the browser will only load resources you white-list; any violations can be reported

Use e.g. to create it and the report to watch for violations to fine tune it.

### SQL injection cont’d

(Yesterday: Error-Based)

#### Union Based SQLi

Modify the query to union whatever other data and show them. More data faster than error-based inj.

Ex.: :  V12 -> `V12′ union select voteid, comments collate SQL_Latin1_General_CP1_CI_AS from vote– `

#### Blind Boolean (laborious)

Blind inj.: We can’t always rely on data being explicitly returned to the UI => ask a question, draw a conclusion about the data.

Ex: -> 

ordedby => case when (select count(*) from userprofile) > 1 then powerkw else topspeedkm end


Extract email: Is ascii of the lowercase char #1 < ascii of m ?

Automation: SqlMap

#### Time based blind injection

When no useful output returned but yes/no responses differ significantly in how much time they take. F.ex. ask the db to delay the OK response.

MS SQL: IF ‘b’ > ‘a’ WAITFOR DELAY ’00:00:05′

### Brute force attacks

  • Are there any defences? Often not
  • How are defences impl?
    • block the req resources
    • block the src IP
    • rate limit (by src IP)

### Automation

  • penetration testing apps and services such as Netsparker, WhiteHatSec
  • targets identification: shodan, googledorks, randowm crawling
  • think aout the actions that adhere to a pattern – sql injection, fuzzing (repeat a req. trying diff. values for fields – SQLi, …), directory enumeration
  • automation can be used for good – test your site
  • tip: have autom. penetration testing (and perhaps static code analysis) as a part fo your build pipeline

Task: Get DB schema using sqlmap (see python2.7 –help)

### Protection

Intrusion Detection System (IDS) – e.g. Snort

Web Application Firewall (WAF) – e.g. CloudFare ($20/m)

### Various

One Response to “Notes from Troy Hunt’s Hack Yourself First workshop”

  1. Ubikuity said

    About “Note: maximizing your browser window will share info about your screen size, which might help to identify you”
    => Here is tool to determine how unique is your browser (based on many criteria: screen resolution, plugins, preferred language…)

Sorry, the comment form is closed at this time.

%d bloggers like this: