Week 2 Reflections | sawicky's space

February 17 2019, 11:34 AM

This week in our Cyber Security studios, we focused a bit more on web application security and penetration, and having a larger emphasis on the definition of our problem statement and the ultimate shape of our portfolio for this subject.

This week I also started my first professional job, working as an Apex developer, which is the language used in Salesforce CRM products for a small startup, which is an incredibly different environment from working in Help Desk for a law firm generating $1 billion a year. I went from structure, including service management, specialized team management staff, incident management into being thrown in the deep end with an almost unused incident management system. Self study is needed to keep myself afloat in this new job, as while i’m experienced in programming Java already (of which Apex is very similar to), theres still a ton of new concepts that will take my limited time away.

This sudden dissapearance of my free time, time that is meant to be commited to this subject, has cemented the idea that my time management strategy sucks (ie there is none), and the firsts steps I have taken to rectify this is to begin being more vocal in class if I need more insight in what is to be achieved during the week in terms of milestones, as I think a defined list of milestones is how I best operate.[5]

An example of this would be spinning up my old VPS and Software Engineering Project, I had a talk with our tutors for cyber sec and I had the idea that I could use this project, insecure as it is, as my learning experience to achieve my SLOs.

It’s a web application, so it fits in perfectly with the content we’ve been learning the past 2 weeks
It wasn’t designed to be secure, which highlighted a problem with our SDLC
I have good understanding of how the entire thing is structured, so nothing will be blind (I know where all the endpoints are, which saves a few hours (at my skill level) with burpsuite)
I have root access to the server behind the application, so I can always have a look at logs [2][3]

Another benefit, is that since it’s hosted on a private VPS that I signed a permission form for penetration testing, I could even see if I can pwn my own box as a change of pace.
This is still an ongoing idea, and more talk is needed with my tutors, as they ultimately know whether or not my application is viable or not. [1]

Progress this week

I started off this week (on Wednesday) by being asked to present a Problem Statement we have defined the week prior. I blame my poor time management in this case, as I didn’t have any presentation prepared, and my blog write up was still sitting undeployed on my home desktop. The second way I messed up was misinterpreting our tutor’s instructions earlier on how to define a problem statement. I know now that a Problem Statement is what you can present to some CEO of some company, define a problem, what it’ll affect (his bottom lines), and how you’ll fix it, all under 1 minute.

Since I didn’t have any presentation prepared, I decided to accept my fate and talk about what I studied previously on the weekend, which was about why exactly XSS was so prevalent. You could formulate this to sound like an executive problem statement but I leaned on the technical side.

By sheer luck, I wasn’t asked to present before the break, so during lunch I slapped together a quick presentation and talked about exactly why XSS was so prevalent. It’s prevalent because of DOM-based XSS attacks being the majority of xss attacks, since they rely solely on human failure by clicking on a crafted link, and exploiting raw text within the DOM processor of a browser. It’s much easier to sanitize stored and reflected XSS, but the threat of a DOM based xss attack is there if you have any user-influenced raw text displayed in a browser at all.

So I talked about the why, the how and how to fix it, but didn’t talk much about what it might do, since I mistakenly made this a technical presentation, and assumed the audience knew what XSS does. I still managed to fit in the entirety of my presentation in 2:59 with a time limit of 3:00 so I’m happy with that.[4]

I then studied by tackling a medium-hard level HackTheBox web challenge called I know Mag1k. I did a write up of it here.

It exposed me to a whole new level of exploit involving an Oracle attack, new tools and a new path of enumeration for my further studies.

What’s Next

Next week we’re starting actual box pwning, which means I need to be ahead of it since I’ll also have some crazy work stress to deal with aswell. I need to catch up to Bandit 30, Natas 15 and hopefully pwn the Help machine on Hack the box. I’ll also end up asking the tutors at some point if they have any walkthroughs for retired machines.

1: SLO 1
2: SLO 2
3: SLO 3
4: SLO 4
5: SLO 5