Be careful—while you were reading this, I was stealing your cookies! Just kidding. But was I?
Do you have to be scared of things like that? What about XSS or XSRF attacks? How do they work? Are you vulnerable when you're browsing the web at Starbucks? Are your websites making your users vulnerable to being attacked?
Unless you actually learn how these attacks work, it's easy to be a little spooked. Sometimes caution is advisable, but sometimes we worry needlessly. The best way to know which threats are worth worrying about is to actually try out these attacks ourselves. By seeing exactly how common hacks work, we'll learn the best way to protect ourselves and our users. Hopefully we'll also learn a little bit about how malicious hackers think, which is the best way to protect ourselves. Don't worry: nothing we do will be illegal, nor will any of it cause anyone's person or property any harm.
We'll start out the class by learning about the most common means of malicious hacking: social engineering. (Sometimes, the best way to gain access to restricted systems is to look under someone's keyboard, where they've written down all their passwords.)
Then, for the majority of the class, we'll learn about some more sensational ways that malicious hackers do their dirty work. We'll actually try out these hacks for ourselves, either against each other (if we're comfortable with each other), or against the instructor, who will have throw-away websites and a computer ready for it. We'll try these hacks by hand, and we'll also download some tools that allow them to be carried out more easily. These are some of the things we may try out:
• Stealing cookies
• Snooping on network traffic
• Cross-site scripting attacks (XSS)
• Old-school lock-picking?
• And maybe more!
Familiarity with the following will help:
• The command line
• Basic knowledge of how servers and clients/browsers interact (HTTP!)
You can use any operating system (Windows, OSX, Linux). We'll be using a few Google Chrome extensions, so you'll need to have that installed. We may also use a Firefox extension, so please have that installed, also.
ABOUT THE TEACHER
Chad Ostrowski has never maliciously hacked anyone, nor does he want to. He doesn't even look at people's hands when they're typing in passwords, for fear that he might accidentally identify their keystrokes. He enjoys music, literature, exploration, and West Philly. He works at PipelineDeals and blogs at chadoh.com.