Monday, 24 September 2012

Why the free exercises?

A lot of people are asking me why I moved from paid to free exercises... Following is the beginning of an answer ;)

First for people who don't know, the exercises used to be sold between $12 to $20. I was doing few sales (enough to pay for hosting, not for the work put into building each exercise). I was at that point when I had to spend more and more time working on marketing and thinking of protecting the content (Watermarking, ...)... Bottom line is, I was focusing on things I don't enjoy doing instead of spending time on things I like (building awesome exercises).

I have been thinking of putting everything for free for a while, since my main goal was to get a lot of people to use my exercises, it wasn't to do big $$.

So I recently moved everything to free and I haven't regret it since:

  • I'm more focused on what I like doing (building cool exercises);
  • I get great feedbacks almost every day (emails, comments on reddit, twitter, ...);
  • I'm more motivated and have more liberty;
  • I made some good contacts (book publisher, technical people,...);
  • The website visits have increased of more than 5000 % according to Google Analytics;
  • I had scaling problems and start using Amazon S3;
  • ...

However, the goal of PentesterLab is still to do a bit of money (at least to pay for hosting and some beers) and I'm slowly looking at ways to do that:

  • the exercises available can only be used for non-commercial usage, few people already contacted me to use them to run training with a commercial licence.
  • sponsoring/advertisement/affiliate
  • building a job board
  • ...
I'm still undecided and I have plenty of time to work out the best solution(s). At the moment, I'm just enjoying all the great feedbacks and working on the next exercise.

Finally, thanks to everyone who bought the exercises before they became free, you kept me working on them and thanks to you everyone can now enjoy and learn :)

Saturday, 22 September 2012

Breaking the syntax

I recently gave a training at OWASP NZ on test-driven security. One of the key concept I introduced was "Breaking the syntax".

My idea is that way too many people think about vulnerability as a magic pattern:

  • ' or 1=1
  • <script>alert(1);</script>
  • `id`
  • ../../../../../

And that's wrong for many reasons:

  • a pattern can be filtered;
  • a pattern only works in some cases
  • ... it's just wrong.

A better solution, is to think about injection based attacks as breaking the syntax and not just sending a payload and see how things go.

Let's take an example:

<a href="/[USER CONTROLLED]" >test</a>

If you are able to inject a double quote, you can break the syntax:

<a href="/broken " syntax" >test</a>

The HTML syntax is no longer valid, after that, you can find a payload to exploit this issue if needed.

The same things apply to this example:

<a href=/[USER CONTROLLED] >test</a>

However here, you don't even need to inject a quote, a double quote, or > and <, you just need to be able to put a space to break the syntax of the HTML page:

<a href=/broken syntax>test</a>

You may not be able to exploit the bug based on other components, but if you're a developer and want to ensure the security of your application you just need to understand this to test for injection based attacks.

And "breaking the syntax" applies to SQL injections, code execution, commands execution, ...