Introduction

Week 2 of 41151 Summer Studio B has been pretty intense, the workload expected has certainly increased and the whole subject has become a lot more intense, I’m definitely getting an idea of the amount of work that is required from students.

This week introduced the topic of Web Application Security, a topic that I’ve had experience in before, but it was still really interesting, I learned quite a lot this week, and it has definitely reignited my motivation for security.

The problem statement that I identified this week was:
"The increasing adoption of web applications by businesses as a platform to undertake operations can result in negative impact to businesses given the insecure nature of web applications and the numerous vulnerabilities that can be used to exploit web applications".

Web applications are insecure by nature, the web/internet environment was created for research purposes, so that universities and academics could share research. Back then, nobody knew what the internet would transform into and it was assumed that nobody would abuse the internet and its users and so the internet was built with implicit trust in mind. Something that we’re still paying for decades later with never ending news of another data breach of another big business.


Summary (TL;DR)

Things that went well this week:

  • Homework research was done quite well
  • Engaged with other students and academic staff
  • Presentation went well
  • Helped people get their static sites online
  • Make plans and document everything happening

Things that didn’t go well this week:

  • Not doing enough challenges
  • Bad time management skills
  • Too much slacking/procrastination
  • Didn’t prepare enough for mandatory face-to-face sessions

Weekly Rundown

Monday

We were introduced to what we would be exploring this week, Web Application Security, a discipline in security that I have the most experience in out of all the security topics that I’ve played around with. I didn’t know what I was expecting to do this week, I’ve done some of the recommended resources that we were given, specifically HackTheBox, Root-Me and Natas (OverTheWire).

At the scrum, it seems that most of the class has issues with time management, something that I’m also struggling with, it would be great to try and iron out a schedule that I can follow on days that aren’t mandatory, something standardised that I can apply to all the days to maximise productivity and make the most of the subject. This is going to be really important considering that the difficulty of the studio is expected to ramp up over the next two weeks.

I decided to have a look at some of the HackTheBox challenges, I know that they’re quite challenging but also spectacularly satisfying to complete. Since this week focused on web app security, I decided to try and solve Lernaean, a brute force password cracker challenge. You can read about that here.

Something that also needs to be worked on is not feeling complacent, solving Lernaean made me feel pretty successful with solving a challenge that I perceived to be hard, mostly because it involved Hydra, an annoying/difficult to configure tool that I had second hand knowledge of. I need to keep doing and solving more challenges no matter if I complete them or not, stopping after completing a challenge won’t be able to cut it anymore in the next two weeks.

Tuesday

We were given homework due by Wednesday about responsible disclosure, and the impacts that bug bounties/ethical hackers have on stakeholders. I found this homework really interesting, in the future I do want to be able to pursue bug bounty hunting and needed to know the ins and outs of that particular field can be really useful.

You can view my findings here. I found myself actually looking up academic articles about responsible disclosure and bug bounties and some of the figures that I found were startling, specifically the fact that most bug bounty programs dont have ‘safe harbour’ clauses that protect bug bounty hunters from possible legal ramifications of their actions even if they’ve been acting in good faith and have obeyed the scope of the program.

After completing the homework, I didn’t look at other challenges, though I definitely should have, anytime I’m not completing homework should definitely be spent doing challenges to better my technical skills.

Wednesday

Luke Fuehrer gave a presentation about cross-site scripting (XSS), revolving around the history, types and impacts of XSS. The prevalence of XSS vulnerabilities in web applications and the potential impact of successfully using an XSS exploit on a web app makes it a really important topic to understand.

That being said, XSS is something that I do struggle with, mainly stealing cookies which usually requires a live domain to link your XSS injection to that contains a malicious script to write the cookie of the user to a text file. Although there are several web hook services that are free and provide endpoints for your XSS to hit, I think it would be easier to practice with a domain just dedicated for XSS, maybe I should have a look at using my blog domain for that?

Mr Robot   Mr Robot

After Luke’s presentation, I had a look at the MrRobotCTF, the first challenge was pretty easy, simply robots.txt, something that you should have a look at when attempting any CTF challenges or even bug bounties.

  1. Inputting robots.txt after the base URL lets you read the file.
    Mr Robot

  2. Simply reading the key-1-of-3.txt file give you the hash flag for the first challenge.
    Mr Robot

  3. Profit.
    Mr Robot

A pretty simple challenge, but the problem of complacency comes up again, after solving a challenge, you shouldn’t just rest on your laurels, always keep pushing to better yourself especially in the security field. So after solving this challenge, I tried having a go at the second challenge, but was stopped by a 2.3kb/s download speed while trying to download the 7MB file for the second challenge.

Since the file was taking a pretty long time to download, I decided to try downloading it later and instead decided to try and help Andy and Vishal with their static sites. They both created their sites with HTML/CSS which wasn’t in line with what was required by the studio so they had to rush making their static sites. While I definitely enjoy collaborating and helping other people, it always seems that I’m helping other people and spending too much time on making sure that they’re on the right track rather than focusing on my own development. I want to be able develop my own skills so that I can be more knowledgeable and be able to help people better, but that means that I need to try and commit to focusing on my own skill development for a while.

The switch from a daily scrum to a free-for-all seems to work better in my opinion, it provides a better opportunity for deeper discussions on what people have been doing, what they plan to do and what they’re struggling with. Although you don’t interact with the entire class during the free-for-all, the more in depth conversations with different people each time seems to be more than worth it.

Something I am trying to do is plan out what is needed for deliverables, I made a plan for the Friday deliverable:

Mr Robot

Definitely going to be keeping up with planning things, it seems to work out quite well when I plan things out and just follow the plan.

So Wednesday was pretty much focused on helping people troubleshoot their static sites, I ended up helping Rowan, Junwei, Andy and Vishal and they seem to have their sites up for now, next week is going to get harder and I want to spend more time on my own development so although I like to help people out, I need to make sure I have my own work sorted out before I help other people with theirs.

Thursday

Thursday was spent compiling what I’ve done during the week into the deliverable due on Friday, I wrote up my deliverable here. There was also a presentation that was due to be presented on Friday, I didn’t actually get to making the presentation on Thursday at all and ended up making it on the train to class Friday morning.

The main issue I’m having is definitely time management and it keeps popping up for myself and others. It’s not like I’m running out of time due to other commitments, it’s mostly due to not making the most of my time, being distracted and procrastinating needs to stop. This is an intensive course and I should be putting more effort into bettering myself.

I found that I didn’t really do much on thursday, I could have had a look at more challenges, what vulnerabilities they employed and how this would impact a business if successful, but I found myself really slacking off, this won’t happen again, it’s been a really humbling week for me, from here on I’ll be trying my best to do more with my time.

Friday

So the presentation was due Friday, I managed to finish the presentation on the train in the morning, it wasn’t very hard to make with the criteria for the presentation being a high level overview of the impacts that web app vulnerabilities would have on stakeholders. The presentation can be found here.

We started off with the free-for-all today and I ended up talking with Oliver and David, David mentioned that he got through three of the web challenges on HackTheBox, which was both inspiring and humbling to me, I felt more motivated to do challenges after he told me this. We also talked about the different vulnerabilities and where they were leveraged, Oliver told me about the XSS vulnerability on eBay and how the whole page turned into a malicious URI. I think that free-for-alls are the way to go, but also maybe mixed in with daily scrums once a week to keep everyone updated on each others progress.

After the free-for-all, it was time for the presentations. In terms of content, my presentation hit the important points, the seriousness of the vulnerability and its impact on businesses, which proved my problem statement, however engaging with Larry for feedback afterwards highlighted some things to take into account with future presentations and general work. Feedback observed:

Mr Robot

Something that Larry made me consider is that the presentation went well mainly because I knew who was in the room and how they would react to the presentation, however the same cannot be said if the presentation was to be delivered in a professional context, there is definitely a time and place for jokes and joking around with the wrong audience may have serious consequences, for example losing potential clients or upsetting colleagues.

The feedback also addressed body positioning, the delivery of the presentation went quite well, however I was standing stationary behind the lectern. Larry suggested that for future presentations, it would be better to move more, specifically in front of the lectern to remove the barrier from my audience and me and to allow better engagement with the audience.

This was very valuable feedback for me personally, it will only serve to enhance and make my future presentations better, although I am definitely not looking forward to future presentations.


Goals

As I said before, this week has been really humbling, although on the bright side I know what I’ll have to do next week to match the intensity that the course will be taking.

What I need to do next week:

  • Continue documenting everything, but document things as they happen for a more complete log of events
  • Never stop doing challenges or reading up on security material
  • Time management, make a schedule, follow it, be more productive
  • Ideally if applicable, more engagement with external sources, find out more about what they do and ask for advice on what I can do to better myself
  • Stop writing my reflections on Saturday and Sunday and start writing them during the week and updating them daily