aashima
Between you mentioned in your talk on CE that you get paid for being a hacker. Now that sounds something out of the box and interesting. Could you be a little more elaborate about it?
I guess I really didnt elaborate much about that. Well, since you ask, Im very passionate about web app security, which is why I have chosen to do it full time for a living, and why I do my podcast about it.
My job:
My work at NT OBJECTives consists of me spending countless hours reading mailing list and forum discussions, chatting with other web app security professionals and reading every article and website about the subject. In addition I do alot of my own research to discover what kind of mistake web developers are making, and how I can exploit these patterns.
I then have to take every bit of my reseach and figure out how to reproduce the attackes in an automated way, where we can have some reasonable degree of confidence that when we think we found a vuln, that it really is one.
There are things I can do as a human, with leaps of logic and intuition, which are extremely hard to accomplish with a computer which needs to deal in facts. In computer science we call this fuzzy logic, and its a very hard problem to tackle.
The actual hacking:
Well, in web apps there are a number of categories of attacks. I dont want to get too far into it, because its a discussion of its own, but some of the major ones are SQL Injection, Cross Site Scripting (XSS) and various resource discovery issues.
resource discover - In this we try and find files that could lead to information. For example, when you request a files with .php extensoin, the web server executes this thru the PHP engine, and the result is displayed. But if the developer is developing on the server and leaves a somefile.php.bak file, if I request this, then I will see the actual source code. Imagine if this was the config file, with its database passwords. Even a normal source file, could tell me important information about the database. So I look for these kind of files, and learn what I can when I do find them
SQL Injection - With these attacks I attempt to leverage the fact that web apps often take user input as part of a generated SQL query. If I provide an input that will have the affect of altering the sql statement into what I want... I can accomplish fun things. Check out my podcast about this. So when Im hacking a web app, Im lookinhg for user input being used in sql statements which are not being properly validated.
Cross Site Scripting (XSS) - Sites often take input which is re-displayed back to other users. What we attempt is to provide inputs that will still generate a valid html file, but one that is altered into doing something we want for attacking other users. Again, I have a podcast about this which would be informative to listen to and follow along with
Hope that helps 😀