Thought hacking was hard? It’s not, it’s easy and I’m going to show you how! We’ll investigate a series of hacking stories and break them down step-by-step to see exactly how they did it. By the end you’ll walk away a little bit more scared and a lot more prepared with some great practices you can apply immediately to your own applications.

1. Asim Hussain
@jawache
codecraft.tv
microsoft.com

3. it can
happen to
you @jawache

4. #1
@jawachePhoto by Kristina Flour on Unsplash

5. @jawachePhoto by Veri Ivanova on Unsplash

7. @jawacheMr Robot

9. @jawache

10. @jawachePhoto by Nolan Issac on Unsplash

11. On Premise
Hardware
OS
App
IaaS
Hardware
OS
App
PaaS
Hardware
OS
App
@jawache

12. Google App Engine
Heroku
Amazon Beanstalk
Azure App Services

14. @jawache

15. @jawacheIt's Always Sunny In Philadelphia

16. #2
@jawache

17. 'SELECT * FROM COMPANIES WHERE name =' + name;
@jawache

18. SELECT * FROM COMPANIES WHERE name =;
DROP TABLE "COMPANIES";
--LTD
@jawache

19. @jawache

20. @jawache

21. @jawachePhoto by Braydon Anderson on Unsplash

22. @jawache

23. @jawache

24. #3
@orange_8361

25. git push
http://example.com
@jawache

26. git push
http://localhost
@jawache

27. git push
http://0
@jawache

28. git push
http://0:9200/_shutdown
@jawache

29. def send_email(request):
try:
recipients = request.GET['to'].split(',')
url = request.GET['url']
proto, server, path, query, frag = urlsplit(url)
if query: path += '?' + query
conn = HTTPConnection(server)
conn.request('GET',path)
resp = conn.getresponse()
...
@jawache

30. http://0:8000/composer/send_email?
to=orange@nogg&
url=http://127.0.0.1:12345/foo
@jawache

31. def send_email(request):
try:
recipients = request.GET['to'].split(',')
url = request.GET['url']
proto, server, path, query, frag = urlsplit(url)
if query: path += '?' + query
conn = HTTPConnection(server)
conn.request('GET',path)
resp = conn.getresponse()
...
@jawache

32. rn
@jawache

33. %0D%0A
@jawache

34. http://127.0.0.1:12345/%0D%0Ahello%0D%0AFoo:
@jawache

35. GET /%0D%0Ahello%0D%0AFoo:
HTTP/1.1
Host: 127.0.0.1:12345
Accept-Encoding: identity
@jawache

36. GET /
hello
Foo: HTTP/1.1
Host: 127.0.0.1:12345
Accept-Encoding: identity
@jawache

37. ...:11211/%0D%0Aset%20key%200%20900%204%20data%0D%0A
@jawache

38. GET /
set key 0 900 4 data
HTTP/1.1
Host: 127.0.0.1:11211
Accept-Encoding: identity
@jawache

39. GET /
set key 0 900 4 data
HTTP/1.1
Host: 127.0.0.1:11211
Accept-Encoding: identity
@jawache

40. code
code
@jawache

41. code
code
@jawache

42. DeprecatedInstanceVariableProxy
@jawache

43. @jawache

45. @jawachePhoto by Kelly Sikkema on Unsplash

46. #4
@jawache

47. @jawache

48. @jawache

50. @jawache

51. cross-env vs. crossenv
@jawache

52. @jawachePhoto by Jairo Alzate on Unsplash

53. @scope/package-name
@jawache

54. Stop pretending
Don't assume
Small vulnerability
Don't trust anyone
PaaS
Sanitise
Fix
@jawache

55. https://www.pluralsight.com/courses/nodejs-security-
express-angular-get-started/
@jawache

56. Asim Hussain
@jawache
codecraft.tv
microsoft.com

57. Azure App Services
https://aka.ms/azure-app-service-docs
Google App Engine
https://cloud.google.com/appengine/
Heroku
https://heroku.com
Amazon Beanstack
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html
PaaS Platforms

58. Metasploit
https://www.metasploit.com/
DropTables Company
https://beta.companieshouse.gov.uk/company/10542519
SQLMap
http://sqlmap.org/
How I Chained 4 vulnerabilities on GitHub Enterprise - Orange Tsai
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
Malicious packages in npm. Here’s what to do - Ivan Akulov
https://iamakulov.com/notes/npm-malicious-packages/
Oscar Bolmsten on Twitter
https://twitter.com/o_cee/status/892306836199800836

59. npm module sqlstring
https://www.npmjs.com/package/sqlstring
Exploit DB
https://www.exploit-db.com/
Brian Clarke Security Course on Pluralsight
https://www.pluralsight.com/courses/nodejs-security-express-angular-get-started/