Peter Kim has been in the information security industry for the last 10 years and has been a penetration tester for the last seven. He is the author of the best-selling computer hacking book, ‘The Hacker Playbook: Practical Guide to Penetration Testing.’ He was the lead penetration tester for the U.S. Treasury and Financial Management Systems.
In addition, he was a penetration tester for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and the Federal Reserve. He also gives back to the security community by teaching penetration testing courses at a community college, and creating and maintaining one of the largest security communities in the Santa Monica, CA area. He has also spoken at multiple security conferences. You can find him at his blog Secure Planet.
In this Q&A, uTest spoke with Peter about some of the more memorable vulnerabilities he has come across while hacking web apps, what he thinks of Apple Pay, and why his book is used in college coursework. Stay tuned at the end of the interview for a chapter excerpt from ‘The Hacker Playbook,’ currently the number one-selling software testing book on Amazon.
uTest: You’ve been in security and pen testing for a while now. Without giving out too many specifics, what was one of the more surprising or memorable lapses in judgment you have come across while ethically hacking web applications?
Peter Kim: I could write a book just on this question. I mean, I’ve seen it all, from a single company having 20+ different SQLi vulnerable public web applications, default credentials into their whole camera system, PII data leaks from major e-commerce sites, all the way to having access into equipment that controlled certain types of SCADA utility networks.
The funniest one I came across was about five years ago. A major AV vendor had all their clients talking back to their central web application over HTTP APIs. Sniffing the traffic, I was able to gain the administrative credentials in clear text from a client. Once I logged into the web application, I was able to modify the update agents within the web interface to force the end user to download a malicious file and execute them on the host systems.
We all had a good laugh, because what was meant to protect the network allowed us to compromise the network, and, ironically, the companies that advocated security had one of the worst IT security practices.