Skip to Content
At SAP TechEd, Boston, I offered a “guided hacking tour” in the SDN clubhouse. The idea was to raise awareness among the participants regarding how easy it can be for an attacker to break into a web application if the developers don’t do their homework.

The setup was an online shop running on my VMWare system with some serious security holes planted in the code.

Interested participants were confronted with 4 “hacking” goals to achieve:

  • Buy one of the items in the shop at a heavily discounted price: 1$
  • Get as many credit card information from the system as possible
  • Acquire another user’s logon credentials
  • Become Administrator of the shop

Practically all participants had no idea where or how to begin and started by playing around with the application. The idea was that everyone should try to break into the system as far as they could, but if someone got stuck, I’d give a hint.

This way all participants were in the position of an attacker rather than a developer and learned to look at applications with different eyes.
Telling people about security is one thing, but sitting right in front of a vulnerable system with a hidden back door just a few keystrokes away, is another.
After seeing the vulnerabilities some people even recognized that their own applications had the same type of problem…

There was no price to win, but still a lot of people came by and spent considerable time trying to break the application.
Everyone told me it was an eye-opener.
Everyone learned.
And most importantly: everyone had fun.

To report this post you need to login first.

7 Comments

You must be Logged on to comment or reply to a post.

  1. Anonymous
    Hi Andreas,
    I can only remember my college days ;). Will such a “guided hacking tour” be available in Bangalore? I really missed your event in Boston!
    Best regards,
    Felix
    (0) 
  2. Anonymous
    Hi Andreas,
    any plans on letting the non-Boston-visitors know about your hands-on lesson?
    Any article/weblog planned? I’d love to read about that.

    Cheers,
    Max

    (0) 
      1. Anonymous
        Well, you mentioned the goals, but I think it would be interesting to see your ways of achieving them, as well as some of the places the participants got stuck – so as to share the practical experience of this lessons.
        (0) 
    1. Andreas Wiegenstein Post author
      Hi Jürgen,

      Good to know that there will be at least one interested attendee in the audience… 😉

      The presentation on Friday is slightly different but nonetheless fun, I hope…

      Regards,
      Andreas

      (0) 

Leave a Reply