Ethical Hacking 101

In today's digital landscape, software security is paramount. To safeguard applications from cyber attacks, developers must embrace Ethical Hacking—an innovative approach that empowers them to uncover vulnerabilities and strengthen security measures.

Ethical Hacking involves adopting the mindset of malicious hackers to identify weaknesses and fortify defences against unauthorised access, data breaches, and other threats. By integrating this practice into the coding process, developers gain valuable insights, proactively mitigating risks and creating more robust and secure software systems. 

I took a basic lesson from Snyk about Ethical Hacking, which helps me consider security measures in coding. 

Process 

  • Plan & Prepare (Reconnaissance phase) 
  • Scan & Enumerate 
  • Exploit 
  • Analyse & Report
  • Communicate & Collaborate
  • Continuous Education & Professional Development 

Tools 

  • Nmap: network scanner 
  • Burp Suite: security testing of web applications 
  • Metasploit: penetration tests 
  • Wireshark: packet analyser 
  • Maltego: intelligence and forensics, graphical link analysis for real-time data mining. 
  • Snyk: scan, prioritize, and fix security vulnerabilities of codes 
  • John the Ripper: password cracking tool 
  • Wappalyzer: Find out what websites are built with 
  • Kali linux: for digital forensics and penetration testing 
  •  

Best Practices 

  • Obtain permissions before conducting any testing 
  • Follow all relevant laws and regulations 
  • Do not use tools or techniques that could cause damage or disruption 
  • Use a risk-based approach 
  • Document your findings and provide a report to the owner 

 

XSS (Cross-Site Scripting) 


Cross-Site Scripting attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.


Example: Try to fill in 

[Totally Safe Link] 

(javascript&#58document;cookieStore.g et('super_secret_cookie'8#41;.then((e&# 

41; => 

{document.getElementsByClassName('v-text-field _slot'8#41; 

[1].childNodes[1].value='${e.namel = $ 

{e.value} 

*;document.getElementsByClassName('v 

-text-field slot'8#41; 

[1].childNodes [1].dispatchEvent(new 

Event ('input')8#41;;document.getEl ementsByClassName'v-text-field _slot'8#41; 

[1].nextElementSibling.childNodes[0].clic k(8#41;}8#41; 

 

 

Path Traversal 


A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder.


Example: Send a request like /82e82e/82e82e/82e82/8282/82e%2e/etc/passwd , due to some libraries like st@0.2.4 


Vulnerability Disclosure Program & Bug Bounty

  • Hackerone 
  • Bugcrowd 
  • Intigriti 
  • Promote responsible disclosure and incentivizing bug hunting 
  • Identify and address security weaknesses before they can be exploited by malicious actors 
  • Improve the overall security of software and systems 
  • Include scope and objectives, methodology, findings and vulnerabilities, risk assessment and severity ratings, and recommendations for mitigation 
  • Consider honesty, accuracy, confidentiality. and respect for 3rd-party agreement 

 

Resources 

Comments

Popular posts from this blog

[Event] JManc (28th June 2024)

Tales from Earthsea

Real View Will