Ok kids, gather around and sing with me;
On the 1st day of Christmas a hacker faxed to me poof via fax of SQLi in my website database using SELECT * FROM members WHERE username = 'admin'--' AND password = 'password'
On the 2nd of Christmas the hackers gave to me a < IMG SRC="jav ascript:alert('XSS');" > #OWASP and a link to cheat other sheets to at: https://www.owasp.org/index.php/Cheat_Sheets
On the 3rd of Christmas the hackers gave to me Direct Object Reference on a critical system http://yourwebsite.com/secret/adminconsole:8050
On the 4th day of Christmas the hackers gave to me.... "a .PDF file and he said test your sh$t!" this is to easy... http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
On the 5th day of Christmas the hackers guessed my lame ass Wifi WEP password and changed my SSID to "Hacked"and left it as a Open AP
On the 6th day of Christmas the hackers came back after it was updated and guessed my lame ass WPA password after being upgraded from WEP on day 5 and changed it to "Hacked Again" and made it Open AP
On the 7th day of Christmas a hacker picked my physical lock using a 9999 cut bump key on door #1, a shim on door #2 and and placed a "boom" sign inside the safe to prove a point about my lame physical security
On the 8th day of Christmas the hackers gave to me a bag of dumpster diving treasure to point out lack of shredding that included (bills fro trusted vendors with account info, credit card carbons, internal printed emails and more...
On the 9th day of Christmas the hackers gave to me, an email aimed at my wife concerning a refund of a holiday purchase with targeted malware using a custom packer that bypassed my installed and updated corporate AV investment.. then after getting a remote shell he popped my work laptop that was also connected to my personal LAN, exported the cert on the VPN client installed a keystroke logger on the computer that I use for business to capture the password.... damn
On the 10th day of Christmas the hackers gave to me code snips of critical system code on the new project that he picked up from PasteBin thanks -- 3rd party
On the 11th day of Christmas the hackers knocked down my commerce website during the busy season with a Denial of Service https://www.owasp.org/index.php/OWASP_HTTP_Post_Tool -- and suggested I look at the OWASP CRS Mod_Security project https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
On the 12th day of Christmas the hackers emailed me a complied P0C 0day on the shiny new public facing appliance we installed just to say "whaaat'ssss up"
After getting my A$$ handed to me in 201x..... I started to read the OWASP Foundation website @ http://www.owasp.org and found things like a new Enterprise Security API (EASPI), Free Videos, Guidance on Mobile Security, Jobs Postings from around the world and over 140 other projects: https://www.owasp.org/index.php/Category:OWASP_Project that helped, planned to attend both Global and Local AppSec events value and I became a member
Happy Holidays from the OWASP Foundation
Suggestion: post your comments below of alternative days of Christmas then you can copy and paste to make your own for a company newsletter for a internal awareness campaign)
Awesome :)
ReplyDelete