I attended Day 1 of Hacker Halted today. I signed up for Workshop 1 – on web-application hacking – because I wanted to learn more about it. Our morning started with mainly basic stuff on the underlying mechanism behind web applications – HTTP protocol, DNS services and what nots.
Our afternoon session was more interesting, with our trainer – Sean Arries – showing us the information gathering aspect of web-application hacking (vulnerability analysis). This is done in order to increase the attack space of the target. The thing that I learned from this section of the training is that – sites are far more vulnerable from side-channel and internal attacks than direct external attacks.
The tools that I already knew (and are part of every System Admin’s arsenal) were things like
host and other network layer stuff. However, at the application level, I learned how to use XSS ME. Manually testing cross-site scripting (XSS) is quite fun.
The basic techniques shown were really useful. We even practiced it on a number of prominent local Malaysian sites. Very interesting. Tomorrow, we get to the actual act of attacking web applications (penetration testing) and see if we can pwn any machines. I am looking forward to hacking my own websites.