Posts

The Newbie Guide to Ethical Hacking

I hack websites. I’ve been doing it for a long time, across various industries, tech stacks, and programming languages. When I tell people what I do, especially those in the tech community, they often ask how I started and how can they learn more. So today, I’m going to give you a quick intro into the tools and tricks to get started with web hacking. The best way to start is to dive into the details, using some hacking tools.

Here’s how I recommend starting:

  1. Understand the tools of the trade
  2. Understand common attacks and defenses
  3. Practice on test sites

Since we will be focusing on web hacking, a basic understanding and/or refresher may be useful. If so, check out my post on, “Understanding HTTP Basics,” then come back. Don’t worry, its pretty simple but lays the groundwork for later.

Tools of the Trade

The first thing I think anyone trying to get involved with web app security needs to know is how to use the most common web hacking tool, the proxy. Proxies let you intercept HTTP requests and responses, allowing you to fully understand how a website works and lets you uncover security issues. I wrote a post, “Web hacking Tools: Proxies,” which walks through installing and using the most common web proxy used by security people, Burp.

After you spend some time using a web proxy, it’s pretty eye opening to see how some of your favorite sites work, under the covers at the HTTP layer. This is also super-useful during normal development to debug and troubleshoot web application problems.

Common Attacks

Next, you need to gain an understanding of the common attacks hackers use to break-in, so you can test your sites and code for these vulnerabilities. You should check out my article on the iCloud attack here. OWASP provides a list of the top 10 attacks. This is a great place to start, although I should warn you that some of them get into the weed fairly quickly. Once you understand those, you can review sites you build to make sure they are protected.

Practice makes perfect

Armed with your first hacking tool, the web proxy, and an understanding of common attacks, it’s time to put your newfound knowledge to the test with a few hacking challenges. There are a few great sites out there where you can learn and try out hacking techniques without being worried about breaking the law. These are a few of my favorites:

After you brush up on your skills, you can take it to the next level with a few public bug bounty programs. These programs are great because they pay for you finding vulnerabilities in public websites, such as Google, Facebook, and Paypal. Make sure you read all the rules before starting:

If you don’t want to deal with these companies directly, you can also join a bug bounty program through a dedicated bug bounty company. These work with various businesses to test security using a pool of freelance hackers, including you! These two are the best:

How Olivia Munn’s Apple iCloud Account Got Hacked

Recently hundreds of celebrity’s private photos (including XXX photos) were leaked on the internet by unknown attackers from Apple’s iCloud. We’re interested in understanding how this happened and how we can help prevent it in the future. What weakness in Apple’s security allowed for this attack to take place?

Here is what we know:

How can we make sure our sites are not susceptible to the same types of attack?

Strong defensive programming techniques and basic web application security knowledge would have prevented this type of attack. Let’s take a deeper look at how these “brute-force” attacks work.

So what is a brute force attack?

Most brute force attacks work by targeting a website, typically the login page, with millions of username and password combinations until a valid combination is found. The same concept can be applied to password reset secret question, promo or discount codes, or other “secret” information used to identify a user.

Let’s look at a real example to understand how this works. Getting past the login screen is often the first step to breaking into most websites. But without a username and password, how can you possibly get in?

Since a python proof of concept attack script was released on github, we can take a look through the code and get a better understanding of how this attack works. The code can be found here: https://github.com/hackappcom/ibrute

First, the code reads passwords and emails from two different files. For the type of targeted attacks that were performed against celebrities such as Olivia Munn, the attacker already knew their valid email address. Emails are loaded into a variable called “apple_ids”. Loading these values can be seen on line 79 and 83:

Next, for each apple_id (email address), the script tries each password and calls the “TryPass” method, shown below on line 98.

Take a minute to read over the following code snippet that actually sends the request:

On line 39, the target URL is constructed by placing the apple_id in the URL. Next, a user-agent header is added and a json object is constructed. Presumably this information was reverse-engineering the researchers sniffing the FindMyiPhone http traffic.

Finally, the email and password value are joined together and base64 encoded into an authorization header on line 64:

It’s interesting to note that the API is using “Basic” authentication, which has a number of known security weaknesses, including the inability to perform account lockouts.

Finally, the request is sent and based on the server response, one can tell if the email and password combination is valid. This is sent for each email address, going through each password, then moving to the next email address and repeating the process. Given a long enough password list, eventually the attacker will discover the right password.

After collecting valid passwords, the attacker was able to download the iCloud backup for the user.

Apple has since closed the security bug.

In my next post, I’ll show you how to find and fix these types of security holes in your own applications.

Have any of your accounts or websites ever been hacked? Let me know what happened in the comments below!