I like the OWASP Penetration Testing Kit browser extension he mentioned. Let’s hope our IT allows us to use it.
We started to focus more on security recently. Many tools and techniques are complex and scary for beginners. We got a lot of value out of simple security tests (try logging in without/with wrong password) and security analysis of existing features and documentation.
I’m not sure it’s the best start for a beginner - level tester to do security tests, they should probably focus on the learn testing aspect first. But letting them think about security is basically easy!
What can I do to exploit this? Or How would a hacker exploit this?
You don’t need to be able to do it, if you can think of it and it would theoretically work, there is probably a loophole in there that needs to be looked at.
This totally depends on what you are doing.
I like to use:
Postman & BurpSuite for quick API altering / proxy & exploratory testing
There are so many more, but it depends what you are doing. But these are my common onces
There are so many. I’ve learned that bad organisations rather pay ransomware then invest into security. Security is not a joke and a lot of people don’t know how to act around it. So maybe it’s not “bad organisations” but the LACK of Knowledge of people. Then again, often after explaining what the damage can be, it gets neglected
It’s a dark hole in the IT - Business which nobody dares to crawl into.
I’ve seen organisations being hacked for 8+ months in my first week at the client and not a single person invested time in it earlier. (they didn’t knew) It costed the company a lot of money … A LOT. The hacker just had a backdoor file installed and was just regularly connecting to disable items in their online webshop. It finally stopped just because I spend 10 minutes on it because I was intrigued with why the webshop items were getting “automatically” archived since there was no “automatic-archive” but I was to late, the damage had been done and the webshop closed a while after due to this, because it wasn’t getting any return value.
The Best/Worst nightmare security vulnerability stories are those which you warn a company about a security breach and they do nothing about it and they get hacked. You feel absolutely the worst since you tried to warn them but they didn’t listen, you can’t help it … but you knew… .
I’ve reached out to at least 50+ companies by email about security vulnerabilities on their product/website and literally 0 …ZERO… replied. (not through bug-bounty-programs)
I often get a linkedin profile view from somebody at the company but nothing happens. I even tell them that I’m open to provide some guidance or do a re-test.
And sometimes after a while you can see in the news " X or Y has been hacked"
Sometimes you heard " we had an email about this but didn’t think it was legit"
The recent Okta Breach had this issue also, they’ve been informed about a vulnerability ~3 weeks before being breached but they didn’t act upon it.
So yea… the nightmare stories… I can go on and on and on …
You don’t have to watch the entire talk if you don’t have time. Skip ahead to one of these concepts. And then come back to others later:
Watch " Exploring Security in Day-to-day Testing" This talk is available to watch with a Pro Membership
