"Do Not Push To Production" And Other Insecure Code, Demonstrated By An Ethical Hacker

Viewers got to see some interesting vulnerabilities and coding practices that made her demo app pretty open to exploits.
A friend of mine published a book about it over 25 years ago, called The Happy Hacker.
If you're hacking without permission, no matter what your motives, you could get arrested.
Don't try to nuke your target, crash it, or delete production data to prove your hack.
Remember, if you're hacking ethically, you're a guest in the systems you breach, so be respectful.
The Sakura Samurai ethical hacking group exposed a security hole that provided access to sensitive United Nations data.
Sonya's demo went through hacking an app called Patch, which is a deliberately vulnerable demo application, written in Node.js.
One of the first steps in hacking is reconnaissance.
She found her way to the top level of the app directory, giving her the ability to view and exfiltrate the entire source code.
She got access to all the code, not just that file.
She scrolled further down to find the code associated with the chat endpoint and that's when I almost.
DO NOT PUSH TO PRODUCTION. For those of you who aren't programmers, that's a comment in the code.
It's a reminder to anyone who reads the code, but has absolutely zero impact on whether the code will actually get pushed to production.
This is why I almost covered my monitor in Coke Zero Sugar, because it's the coding equivalent of a slapstick gag.
She went back through the code, found something interesting, traced it to another outdated package with a Prototype Pollution vulnerability, and was able to use it to inject code that gave her the ability to delete chat messages.
Wrapping Up. When I did a demonstration of how to code a simple WebSockets chat at a developer meetup over 10 years ago, my app was so simple that it didn't sanitize the messages.
It's easier than you think to write vulnerable code and ethical hacking can help you find it when you have.
If you ignore any of those, your hacking is not ethical and you could get in trouble.
If you want to learn more about ethical hacking, our friends at Snyk have a great set of ethical hacking resources for you to explore.
Remember, an important bit of hacker recon is to go through public repositories, looking for plaintext secrets in your public code.


This Cyber News was published on securityboulevard.com. Publication date: Tue, 05 Dec 2023 11:43:05 +0000


Cyber News related to "Do Not Push To Production" And Other Insecure Code, Demonstrated By An Ethical Hacker

Encouraging Ethical Hacking Skills in Students - This article delves into the significance of encouraging ethical hacking skills in students and the numerous benefits it offers to individuals and society as a whole. Possessing ethical hacking skills can provide students with a competitive advantage ...
1 year ago Securityzap.com
Teaching Digital Ethics: Navigating the Digital Age - In today's digital age, where technology permeates every aspect of our lives, the need for ethical behavior in the digital realm has become increasingly crucial. This article explores the significance of digital ethics education in our society and ...
11 months ago Securityzap.com
"Do Not Push To Production" And Other Insecure Code, Demonstrated By An Ethical Hacker - Viewers got to see some interesting vulnerabilities and coding practices that made her demo app pretty open to exploits. A friend of mine published a book about it over 25 years ago, called The Happy Hacker. If you're hacking without permission, no ...
1 year ago Securityboulevard.com
ThreatNG open-source datasets aim to improve cybersecurity practices - The ThreatNG Governance and Compliance Dataset is an open-source initiative that aims to democratize access to critical data, fostering transparency, collaboration, and improvement of cybersecurity practices globally. The open-source datasets offered ...
1 year ago Helpnetsecurity.com
Get 9 Courses on Ethical Hacking for Just $50 - TL;DR: Kickstart a lucrative ethical hacking career or protect your own business with The Complete 2024 Penetration Testing & Ethical Hacking Certification Training Bundle, now just $49.99. Ethical hackers are in high demand all over the world, in ...
6 months ago Techrepublic.com
Hacker Conversations: Chris Evans, Hacker and CISO - Chris Evans is CISO and chief hacking officer at HackerOne. SecurityWeek's Hacker Conversations series seeks to understand the mind and motivations of hackers by talking to hackers. Evans challenges the common perception of both hackers and their ...
5 months ago Securityweek.com
Navigating Ethical Challenges in AI-Powered Wargames - The intersection of wargames and artificial intelligence has become a key subject in the constantly changing field of combat and technology. Experts are advocating for ethical monitoring to reduce potential hazards as nations use AI to improve ...
1 year ago Cysecurity.news
Update your white hat hacking skills with $70 off this training bundle - Ethical hacking is a useful skill set not just for cybersecurity experts, but for every IT worker. The Ultimate 2020 White Hat Hacker Certification Bundle provides 10 detailed courses to get you up to speed on using hacking skills for positive ends. ...
11 months ago Bleepingcomputer.com
Hacker 'ShinyHunters' Pleads Not Guilty in Cybercrime Case - A hacker known as 'ShinyHunters' has pleaded not guilty in a case of cybercrime. The hacker is accused of taking part in illegal activities to steal data from victims, including passwords, credit card information, and other personal details. The ...
1 year ago Blog.cloudflare.com
Bradford ethical hacker honoured with record-breaking work - A bug bounty-hunter who identifies security loopholes in company websites has been celebrated in the India Book of Records. University of Bradford student Nikhil Rane is an ethical hacker who helps firms find gaps in their systems that may be ...
1 year ago Bbc.com
Hacking Protected Java-Based Programs - This article provides examples of hacking techniques that can help Java developers avoid vulnerabilities in their programs. It is not intended to train hackers but rather for naive developers who think that standard obfuscators will save them from ...
11 months ago Feeds.dzone.com
HackerOne paid ethical hackers over $300 million in bug bounties - HackerOne has announced that its bug bounty programs have awarded over $300 million in rewards to ethical hackers and vulnerability researchers since the platform's inception. Thirty hackers have earned over a million USD for their submissions, and ...
1 year ago Bleepingcomputer.com
Ensuring a Secure Future: Global Guidelines for AI Security - With the increasing integration of AI into various facets of our lives, concerns about security and ethical considerations have come to the forefront. Establishing global guidelines for AI security is imperative to harness the benefits of this ...
1 year ago Cybersecurity-insiders.com
Hacker Conversations: Stephanie 'Snow' Carruthers, Chief People Hacker at IBM X-Force Red - Social engineering is effectively hacking human thought processes. Social engineering is a major factor in the overall process but is not directly part of repurposing electronic systems. A social engineer is usually classified as a hacker, and is ...
9 months ago Securityweek.com
How to Think Like a Hacker - Not only did I enjoy and learn from Khan's presentation, I had several follow-up conversations with him regarding cybersecurity, hacking, industry trends and much more. I was impressed with his passion, expertise and role as a vCISO and cybersecurity ...
9 months ago Securityboulevard.com
Hackers Fix Polish Train Glitch, Face Legal Pushback by the Manufacturer - In a recent cybersecurity incident, three Polish hackers achieved success in repairing the malfunctioning software of a train, initially serviced by independent repair shops for a regional rail operator. The narrative took a twist when accusations ...
1 year ago Hackread.com
Learn Cybersecurity Skills From Scratch for Just $30 Through January 1 - Save on tech services or switch to a lucrative new tech career in 2024 by training at your own pace to develop high-demand cybersecurity skills. On sale from 12/26 through 1/1. We may be compensated by vendors who appear on this page through methods ...
11 months ago Techrepublic.com
GTA 6 Hacker: Life in Secure Hospital for Cybercrime Intent - The teenage hacker who leaked details about Grand Theft Auto 6 is now facing a life sentence in a guarded institution, which is a surprise development. The person, identified as Lapsus, was placed under an indefinite hospital order because of worries ...
11 months ago Cysecurity.news
Grab 9 Ethical Hacking Courses for $25 and Improve Your Business Security - TL;DR: If you want to improve your knowledge of cybersecurity, The All-in-One Ethical Hacking & Penetration Testing Bundle is available for $24.97. Cybersecurity is a growing industry, projected to be worth $424.97 billion by 2030. Even if you don't ...
11 months ago Techrepublic.com
Latest Information Security and Hacking Incidents - Artificial Intelligence is reshaping the world of social media content creation, offering creators new possibilities and challenges. The fusion of art and technology is empowering creators by automating routine tasks, allowing them to channel their ...
9 months ago Cysecurity.news
but that doesn't mean we shouldn't be concerned - These images, believed to be created using Microsoft Designer, garnered widespread attention and highlighted the ever-growing challenge of AI-generated fake pornography. As these images rapidly spread across the platform, the incident not only ...
10 months ago Blog.avast.com
100 Best Cyber Security Courses Online With Lifetime Access 2024 - Ethical Hackers Academy, Inc., one of the world's leading Premium Cyber Security training platform, offers 100+ advanced cybersecurity courses that cover all the corners of cybersecurity. With an exclusive Diamond Membership with lifetime access from ...
11 months ago Cybersecuritynews.com
5 Reasons Why Your Business Needs Penetration Testing - Penetration testing is an essential security measure for businesses in the digital age. Cyber-attacks and data breaches are becoming more frequent, making it necessary for organizations to protect their sensitive data and web applications. A ...
1 year ago Tripwire.com
Ukraine Arrests Hacker for Assisting Russian Missile Strikes - Ukrainian security services have arrested a hacker for allegedly targeting government websites and providing intelligence to Russia to carry out missile strikes on the city of Kharkiv. Security Service of Ukraine revealed that its cyber unit has ...
10 months ago Infosecurity-magazine.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)