“Companies generally find that no matter how secure they are, someone will always find a way.” - James Kettle Click To Tweet
Have you ever wondered how hackers find vulnerabilities and how companies can find and fix their own? You will find out today! On average 30,000 new websites are hacked every day.
Our guest for this episode is James Kettle. James is the Director of Research at PortSwigger Web Security where he explores new ways to attack websites and designs and refines vulnerability detection techniques for the Burp Suites scanner.
James shares his hacking experience and hard work helping companies keep their websites secure from all the crazy stuff going on out there. On today’s episode, James shares his expertise to help you be more aware of possible red flags and prevention measures to take to protect yourself and your website.“If you are using the same password on multiple websites you are going to get hacked.” - James Kettle Click To Tweet
- [00:40] – When James was at university he saw that Google said they would pay anybody that could hack their website. He thought that sounded like fun and spent a huge amount of time doing that.
- [01:02] – Now James works at PortSwigger and researches new techniques to hack websites.
- [01:11] – Bounty programs are where a company wants to make sure their product or website doesn’t get hacked by malicious people so they go out and publicly say that anyone is welcome to try and hack their website. If you are successful and you don’t do any damage, but you tell them how you did it they will pay you for it and then fix it.
- [03:45] – Pen testing is the classic approach to securing your website where you pay a consultant to spend one or two weeks trying to hack your website.
- [05:14] – It is totally worth it to get that third party view. Developers often can’t find problems with their own products.
- [06:13] – If you want to find a vulnerability on a website you need to use an attack technique.
- [07:15] – These days they see a lot of cross-site scripting vulnerabilities and it’s the most common one they see.
- [07:37] – One of the most common causes of high impact breaches is access control issues.
- [08:45] – James shares the biggest data breach they were able to do during their testing.
- [10:31] – Try to use a framework whenever possible, because it makes things like sequel injection less likely to happen.
- [11:01] – The standard approach after you make the website is to try to get someone else to look at it.
- [11:27] – With WordPress, it is very important to keep it up to date, install as few plug-ins as possible, and choose a good password.
- [14:08] – Use as few browser extensions as possible to avoid possible malware issues.
- [15:25] – Most people are not being personally targeted by hackers so the threats that most people need to watch out for are things that can be automated.
- [16:10] – If you are using the same password on multiple websites you are going to get hacked.
- [17:02] – A common misconception is that if you have a strong unique password then it doesn’t matter if you reuse it.
- [18:03] – James uses websites with the assumption that all the data I give this website is going to end up public at some point.
- [18:45] – Provide the minimum information possible.
- [20:19] – James shares his all-time favorite story.
- [22:33] – If an entity builds their security around detecting when people are attacking them then running a bug bounty would be harmful because they have no idea who is legitimate or hostile. If your website is on the internet, it is being attacked.
- [23:35] – When you are being attacked, it is important to know that it most likely isn’t personal.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.“If your website is on the internet, it is being attacked.” - James Kettle Click To Tweet
Links and Resources:
- Podcast Web Page
- Facebook Page
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Have I Been Pwned
- Burp Suite
- Web Security Academy
- BurpSuite on Twitter
Can you tell me a little bit about your background with hacking?
Sure. When I was at university, I saw that Google said that they would pay anyone that found a way to hack their website. I thought, “That sounds like fun.” I ended up spending a huge amount of time doing that and then working as a professional pentester. Now, I work at PortSwigger and am trying to research new techniques to hack websites.
That’s really interesting. People hear about bounty programs in the news. What are bounty programs?
Bug bounty programs are where a company wants to make sure that their products or maybe websites don’t get hacked by a malicious person, so they go out and they publicly say anyone is welcome to try and hack our website. If you’re successful and you don’t do any damage but you tell us how you did it, then we’ll pay you for it and then fix it. That means they’re secure from the hackers and the great thing about bug bounty programs is that anyone with the right skills can take part. You don’t have to sign a contract in advance, there’s no background checks or anything like that. It’s just open to everyone.
If the company has very good security, it doesn’t cost them anything to have a whole bunch of people trying to test their security against them.
Indeed. And what companies jointly find out is no matter how secure they are, someone will always find a way. I successfully hacked PayPal’s login page last year, which I was quite pleased because it wasn’t very easy.
That’s cool and disturbing at the same time.
Yeah, most people say that.
With bounty programs, what’s the range in the normal payout rates for these programs?
The company sets the payouts themselves. If they align you to a bounty program, then they might offer a fairly low bounty. It’s maybe $100 to a couple of thousand. But if they’re well-established programs like PayPal, they can pay quite a large bounty. I got $40,000 off PayPal for control over their login page. I think they tend to max out at about $100,000, but that would be quite rare.
I thought I saw Apple or someone with deep pockets having a million-dollar bounty program if you could do this very, very specific hack.
Yes. I think that’s about a max. To get something like that, you’re basically talking about chaining loans of individual hacks together anyway.
Very complicated, but if that’s what you like doing, it must be very entertaining and satisfying when you actually are able to compromise a system.
Absolutely. It’s quite fun and really satisfying.
With the process that you’re going through, is that what pentesting is? Can you tell me more about that?
It’s similar to pentesting. Pentesting is the classic approach to securing your website where you just pay a consultant to spend maybe one or two weeks trying to hack your website and they pay you per day or per hour, there’s a specific contract and so on. That’s the old school way of doing it and it still has a lot in value, but some vulnerabilities are going to take potentially months to find, or maybe only very certain people have the right skills for them. That’s where you can get the benefit by having a pen test to find the obvious problems […] program just left running to find more subtle stuff.
There was an organization that I worked for many years ago, who will remain nameless. They did hire a company to do pentesting and they found a couple of things that we would’ve expected them to find, that there was some obscure SQL injection that we missed somewhere, something that someone had created a decade before that none of us there even knew existed. The pen test company was able to find it and exploit it. But it was really neat that they were able to find a number of things that we were just totally unaware of. It really came out to be a very valuable program for us to do.
It’s totally worthwhile getting that third party point of view because you can’t trust it. No offense to any developers listening, but you can’t trust developers to find vulnerabilities in their own products because they like their creation. A lot of vulnerabilities come from the developer making an assumption about something that wasn’t quite correct. You need some kind of external person to find those issues with.
You don’t necessarily know what your own assumptions are. It’s one of those when you’re doing those word search games, you look at it long enough, you can’t see it anymore but someone walks up right behind your back and goes, “Oh, there’s this word. There’s this word. There’s this word.”
Yeah, pretty much.
Is there a set of standard things that people test for that pen test organizations use or packages out there that hackers use to try to access things?
If you want to find a vulnerability in a website, you need to use an attack technique. There’s documentation, like let’s visit charitable organizations and they publish a methodology, just a set of steps for testing for all kinds of different vulnerabilities in websites. Some people would follow their methodology. Most pentesting companies would probably say they’ve taken that methodology and improved it, but they’re not going to tell me what changes they’ve made. But that’s just a bit. Most pentesters and bug bounty hunters also use a security tool to automate some of these processes, which is where Burp Suite, the tool that my company makes comes in.
For people who operate websites, are there a specific set of vulnerabilities that you see on a very consistent basis?
Absolutely. These days, I see a huge amount of cross-site scripting vulnerabilities. It’s plagued the Internet. It’s the most common bug that’s reasonably serious. Some issues like SQL injection are really serious, but they’re becoming less common over time. But other bugs like access control issues where one user can access data and resources intended for other users are still quite common.
Is that the kind of biggest risk that people have—that someone is able to escalate privileges that can get access to things that they shouldn’t get access to, like other user’s personal data?
I think that’s one of the most common causes of high impact breaches. Especially because often these issues are really easy to find—really, really easy. You’ll log in, you’ll go to view your order, and in the order it will say order_id=1234. Then, it will change it to 12345 and you’ve got someone else’s order. If you get lucky and that’s got a credit card number on it or something, then you can strip that off and dump $10 million credit card numbers and then sell them for a tiny profit.
That’s devastating. If you can’t answer this question, go ahead and say, “I’m sorry I’m not allowed to answer this question.” What’s the biggest data breach that you guys have been able to do as part of your testing, without telling me who the customer was? Were you able to get access to everything?
Getting access to everything is depressingly common. The ones that stick in your mind are ones where you can get access to everything really easily. On one target that I looked at, there was a folder called sale. You could go to the website, type in /sales, and then suddenly you had access to literally millions of people’s data. It was so much data that the browser was struggling to show you this page. You didn’t have to do anything. There was no authentication or anything. It was right there sitting there waiting for anyone to find it.
Kind of that philosophy of security by obscurity. I don’t need to have any security because no one’s going to know that this page actually exists.
Yeah. It looked really old, so maybe they didn’t know that they existed. But the date in it was still up to date.
When I was working in the corporate world, that was one of the most difficult things, is not knowing what someone else has built. It could have been 10, 15, 20 years ago. Is this still needed? Is it still being used? How secure is it? People weren’t necessarily thinking a whole lot about SQL injection at the birth of the Internet.
Are there things that website operators should be watching out for? Some red flags in terms of steps that they should be taking to prevent hacks and signs that they have been hacked?
It’s tricky. It’s a big topic. In terms of making sure that your website doesn’t get hacked, there are some basic steps like try and use a framework where possible because that will make things like SQL injection less likely to happen. There are courses you can do in training on it and you can learn about these attack techniques yourself. We’ve got a free online course on cross-site scripting and if you read that, then when you’re coding a website you’re going to be more aware of what that vulnerability is and how to prevent it. But understand this approach is just after you made the website. Get someone else to have a look at it and see what they can do.
Got you. For the millions and millions of people out there who create websites, who know nothing about coding, and use off-the-shelf content management systems, CMS like WordPress, Joomla.
Something like WordPress, got to keep it up-to-date and install as few plugins as possible because every plugin multiplies the chance that you’re going to get hacked. Make sure the plugins are up-to-date and choose a good password, obviously.
Yeah. That’s one of those key things, is choose a very strong, unique password that you don’t use anywhere. Does WordPress support two-factor authentication or multi-factor authentication?
I’m not sure.
I was just trying to think. I don’t think that’s an out-of-the-box availability.
You have to be careful with adding on security plugins because they often make your security better in some ways, but worse in other ways. I saw a WordPress one. I want to go to prove it. It’s limited to brute force login in essence, but it was vulnerable to SQL injection. In major websites, it is much easier to hack if you install it.
It’s a matter of, “Do I really need this plugin? Do I really need this feature run with the minimum set that you need to achieve your goals?”
Yeah. It’s the same with browser add-ons, too. The core browser code is being made by Google. It’s being tested extensively; it’s pretty hard to hack. But then the plugins that are made by random third parties. There’s not going to be so much assurance that they’re actually secure.
I know. Back in the early days of browser plugins, that was one of the very common things that would happen is you would install a semi-legitimate application and as part of that install process, it would have a browser plugin to Internet Explorer that would now change your homepage and change your search engine and display ads on your computer all over the place. Pretty crazy time.
Definitely, it’s gotten better, but you still see reports of this extension just got yanked out of the Chrome Store because it was insecure or because they were collecting way more data than they should have been.
That’s still depressingly common. It seems like a common thing that I’ve seen with extensions is you have a legitimate extension with a load of users. Then, the developer of the extension would get tired of developing it and sell it to a third-party. The third-party would just fill it with malware. How would you protect yourself against that kind of threat? That’s why you just have to use as few extensions as possible. That’s the only way.
That’s one of those difficult things as a user—to use as few extensions as possible, but to keep up on, “Has this person sold their extension? Is this product still under development?” Just because you initially were using a WordPress plugin and it was getting updated every couple of weeks, every month, or with every WordPress update, it was getting an update. Most people are not going to be watching that to see if the developer has abandoned it or not.
Indeed. You’re almost better off not self-hosting your own WordPress system but using a reliable host, who’s just going to take care of that side of things for you. If you enjoy it, then more power to you. You will learn some skills.
Yeah, but user beware, I suppose, in that case. Let’s change directions here a little bit. Are there things that individuals should be watching out for in terms of being a target for hacking that make them particularly vulnerable? Obviously, weak passwords.
That’s the killer. Most people are not being personally targeted by hackers. The threats that most people need to watch out for are things that can be automated at scale. For example, if I find SQL injection in a website, then often I’ll get all of the passwords, maybe a hundred thousand. It depends on how many users that website has. I’ll get all the email addresses, too. I can try using that email address and password combo on lots of other websites like on their email accounts, PayPal, and so on. That’s not a personally targeted attack and that’s why if you’re using the same password on logged websites, you’re going to get hacked sooner or later.
Yeah. I assume you’ve heard of Troy Hunt’s Have I Been Pwned.
James: Yup. Exactly. It’s inevitable.
Yup. I had them on previously and it’s one of those things that you should subscribe with some sort of service that lets you know if an account has been hacked sometime in the past or at least being aware of these data breaches. A lot of people create an account, maybe they even use a unique password, but then Yahoo! gets their database dumped, their account gets hacked, and that email-password combination has been available for years on the Internet without it being changed.
Yeah. You just gotta use a unique password everywhere. A common misconception is if you’ve got a really strong, unique password, then it doesn’t matter if you will use it. Unfortunately, that’s not true because some websites still store your password in plain text.
Yeah. Or they’re able to figure it out with enough brute force attacking once you’ve got the database locally.
Yeah. You can brute force it at insane speeds these days.
With the computing power that’s now available, it’s a little disturbing. It’s not like these data breaches are necessarily coming from mom-and-pop sites. Adobe was breached, Yahoo! was breached, LinkedIn was breached. It’s not like these are small entities with just a few accounts here and there.
No. That’s it and the small guys get breached, too. It just doesn’t get on the news because it’s […].
It may be even harder to identify where that data breach came from if there’s a small set of records, it could be nearly impossible to track it down to a particular source.
Yeah. That’s why I just use websites with the assumption that all the data that I give this website is going to end up on Pastebin or somewhere else public at some point in time.
I think that’s a good point to make. I generally try to do that. I assume that any information I enter online will be public at some point, whether by choice, by happenstance, or by a hack. If I’m providing information, it’s going to get out there. Lots of websites will ask you for a ton of information when you sign up, but only three fields are required.
Yeah, absolutely. I would provide the minimum information. I generally answer security questions on some websites, like some banks and stuff that trace stuff like your date of birth as a piece of authentication or your postcode. I like to lie about all those as much as possible.
It must be hard keeping up with all the lies.
Yeah. I have a specific fake birthday.
That’s easier to remember. I know a number of people when they use password managers for the security questions, they don’t actually answer the security question. It’s some randomly generated string of characters from a password manager.
On some websites you can put cross-site scripting payloads in your security questions. If someone else tried to do the reset on your account, then you can hack them.
That’s pretty clever.
But very illegal. I’m not recommending that you try this out.
If someone sees you trying to do that, they will probably treat you like a hacker even though you’re just trying to protect yourself. That’s pretty funny. Is there a good story that you have of either some hacking that you have done legally or some situations that you have heard of that you’ve been brought in to deal with in some sense?
My all-time favorite story is there’s a company that I can’t name for legal reasons. How this company works is you can sell them vulnerabilities in products. Maybe you find a series of vulnerabilities in Firefox that lets you take control over anyone’s computer if they use Firefox. Then you can go to this company. You can send them the information and what they will do is they’ll either make a bid for the information. They’ll say this looks like a good bug. This is worth $50,000 to us. And then you can either accept it and you get the payment and they get the information. Or you can reject it and then they’ll act as though they never saw it.
It’s a trust-based system. This happened years ago and the company’s still going. I guess it mostly works. I was using Firefox and doing some stuff and Firefox crashed. I’m going to get my $50,000. I didn’t know why I was doing this. This was a long time ago. The Firefox bug I found was useless, but when I went to report it, I found a vulnerability in this company’s website. They let me hijack anyone else’s account on this website and view all their highly sensitive exploits that were worth large amounts of money. I don’t know what to do with this. I know I will sell it to the company. I sold the vulnerability on their own website. I was really scared that I was going to get arrested any minute. They made a bid for it and then bought it off me. That was the first bug bounty that I ever got.
That’s really clever. You got a bug bounty off a bug bounty’s own website, for themselves.
For their own website, yeah.
That’s almost just too classic. I’ve wondered, does an entity creating a bug bounty program almost draw unwanted attention in some sense?
They definitely draw fire. If they build their security around detecting when people were attacking them rather than being impervious to attack, then running a bug bounty is harmful because they have people attacking all the time and they don’t have an idea who’s legitimate and who’s hostile. The thing is, if your website on the internet is being attacked, you can just put a server out there and just look at the logs. Within a couple of minutes, it will be attacked by some automated stuff.
That’s definitely one thing with running whatismyipaddress.com. I get a lot of people saying somebody’s trying to attack my computer. Who are they? Or trying to access my router on the public side. Why are they attacking me? Can you help me figure out who they are? I was like, that’s just the normal background noise of the Internet. You connect a device and it’s going to get scanned by thousands of people all over the world, probably just on an ongoing basis.
Exactly. When you see an attack by that, the important thing is to understand it’s not personal.
The funny ones are I’ve gotten phone calls on my office line asking me, “Hey, I’m investigating someone trying to attack my system and I’ve been using this website, whatismyipaddress.com, and now they’re attacking me also.” They’re just seeing all inbound traffic to their computer and assuming all inbound traffic is malicious. I was like, “No, you’re going to my website, looking up IP addresses to find out information about the machines that you think are attacking you and now you think that the website is attacking you.”
That’s pretty crazy. I released a hacking tool once and one of the things that it does is it spoofs your IP address. It uses some kind of technical mechanism to make it look like the request is coming from somewhere else in order to test if the website is vulnerable to this client of spoofing. Unfortunately, I wasn’t really thinking about what I was doing, so it makes all your requests look like they’re coming from the same server. The server was supposed to go to Amazon and then Amazon one week later sent us an email like,
“Your website has just been on a hacking spree.” We’re like, “What? This website doesn’t even connect to any other system.” But because we’ve put this plugin and the security tool, loads of people all over the world have been trying to hack systems all over the world and it looks like all this traffic is coming from my server.
Okay, I’m going to go really technically wonky here because I think I can have this technically wonky conversation with you. Isn’t that really evidence of a poorly designed internet infrastructure? When spoofing attacks could happen because no network should ever be allowing a request out of its network that didn’t originate inside its network?
Absolutely. This technique only works on poorly configured websites. It happens at the website levels. The response is actually sent to the correct real user, but the whole time the website thinks it’s talking to my server. We fixed the issue by changing the spoofed IP to 127.0.0.1.
Now everyone’s wondering why the machines are attacking themselves.
Indeed. But at least they weren’t contacting us.
That is one of those difficult things as you make a tool and there are unintended consequences of people not understanding what’s happening. I suppose if it were on your own network, that you were responsible. As opposed to Amazon, you would’ve gotten a nasty phone call. But I suppose at some point, someone would’ve called you.
My host, where I co-locate my servers, occasionally gets those phone calls of people misunderstanding what’s happening and thinking that while they’re using my website to get information that it’s hacking them or something weird like that. It’s interesting.
Yeah. We get a fair amount of that.
If people want to learn more about penetration testing, hacking, bounty programs, more about what you and your company do, are there some websites they can go to, some social media that they can follow?
Yeah. The company is called PortSwigger. The tool is called Burp Suite. If you Google either of those then you’ll find our website. If you’re interested in the hacking side of things, we’ve got something called The Web Security Academy where we’ve got loads of online courses, all free and interactive. You can practice hacking into real websites without any risk of getting any IP, emails, or anything like that.
That’s neat. Where’s that at again?
The Web Security Academy.
We’ll make sure to link to that in the show notes. If people want to follow you on social media, can they find you on Twitter?
@albinowax. It’s a long story.