DevFu! The Inner Ninja in Every Application Developer

DevFu!The Inner Ninja in Every Application Developer

About Me

Danny ChrastilSecurity ConsultantBT AssureEthical Hacking Center of Excellence

{ “Penetration Testing":[ "Web Applications", "iOS / Android Mobile Apps", "Internal / External Networks" ], “Certifications”:[ “GIAC GWAPT”, “GIAC GWEB”}

About Me

DisK0nn3cT

[root] # cat hobbies.txt Twitter Fan CTF Team Member – 0x5bd DC303 Robot Mafia - Team Member

[root] # cat contributions.txt OWASP CTF Contributor SnowFROC CTF Contributor Zen Cart (PHP) Security Contributor CookieCatcher Project [in progress]

About Me

Hackers DeveloperArrogant Ignorant

Hackers Developers

I Know DevFu!

DevFu!Scripting

Application Development

Ins & Outs of Programming

Knowing the Lingo

Scripting• Network / Firewall / WebApp• Automate Processes– Assist Tools– Scraping Websites– Manipulating Data

• Examples!

Scripting - Example 1

Scripting - Example 2

Scripting - Example 3 Jordan from RaiderSec Blog

Application Programing

• Tools / Frameworks– Metasploit, w3af, sqlmap …

• Contribute or Plugin!• Need for Developers

Application Programing• Metasploit – Exploit Skeleton (Ruby+git)

http://www.offensive-security.com/metasploit-unleashed/Exploit_Format

Application Programing• w3af – Example Plugin (Python+svn)

http://www.ethicalhack3r.co.uk/w3af/

Application Programing• CookieCatcher (In progress)

Ins/Outs of Programming• Intimate knowledge of a language– Common pitfalls / limitations

Global variables, null bytes, open source

Core vulnerabilities: SQLi, remote code injection

Loose programming practices

You’re using ColdFusion …

Ins/Outs of Programming• Anticipate shortcuts during Development• Only as strong as its weakest link

– Parameter sanitization– Business logic– Information Leakage

Speaking the Language• Need to be able to “talk the talk”• Great interviewing skill• Explain security in business terms• Bridge the gap to the development team

Summary

Questions

Contact Information

Twitter: @DisK0nn3cTEmail: danny.chrastil@gmail.comGoogle+: @dchrastil

DevFu! The Inner Ninja in Every Application Developer

Documents

Ninja Track

Ninja Multiplication - Weeblymathletes4agora.weebly.com/.../0/9620241/ninja-multiplication-workbook.pdf · Ninja Multiplication Multiplication Flash Cards Ninja Multiplication: Multiplying

Ninja - downloads.globaliptel.comdownloads.globaliptel.com/Ninja/manuals/help.pdf · Ninja besitzt 5 feste Qualitätsstufen für die Bildübertragung: Niedrig, Mittel, Hoch, Hervorragend,

15. How to Become a Ninja Developer?

ninja book

ATOMOS NINJA FLAMEdownloads.atomos.com/ninja-flame/Ninja-Flame-User-Manual.pdf · *Subject to change without notice Atomos Ninja Flame – User Manual Edition 1: August 2017 1 Have

Kawasaki Ninja

Ninja Vengeance

Ninja Skills: The Authentic Ninja Training Manual

Ninja Hacking

ATOMOS NINJA STARdownloads.atomos.com/ninja-star/Ninja-Star-User-Manual-V1-Oct-201… · Atomos Ninja Star – User Manual Edition 1: October 2014 2 Contents 2 Safety Instructions

Puzzle Ninja Ninja

Ninja Shisen

ATOMOS NINJA INFERNOdownloads.atomos.com/ninja-inferno/ninja-inferno-user-manual.pdf · *Subject to change without notice Atomos Ninja Inferno – User Manual Edition 1: May 2017

Ninja Express

Ninja soccer

Vocabulary Ninja - Dreamgiver · vocabulary ninja certificate Signed Vocabulary Ninja Date This little ninja has shown unrivalled levels of commitment, guile and creativity in their

Cocktail Ninja

Ninja JX-Engine instruction manual - Ninja-Engine

Ninja 1000