Application security

Want to improve the security of your application? Think like a hacker

January 5, 2022 by Ted Harrington

When it comes to securing software systems, pretty much everybody is worried about getting hacked. But what’s the best way to defend?

To defend against attackers, you need to think like them.

First, let’s make sure the term “hackers” is understood. This term has been widely abused in the media to refer to bad people doing evil things. In reality, “hackers” is a neutral term. Hackers are simply problem solvers, who make systems work differently than they were supposed to. Ethical hackers find security flaws in order to improve the system, while attackers try to find the same flaws, but to exploit the system instead. They’re both hackers.

Hackers relentlessly look for flaws. They identify assumptions, break systems, and ask “what-if” questions. By thinking like your attackers, you can anticipate and prevent attacks. 

So how can you start thinking like a hacker?

Stop following the rules. 

What it means to think like a hacker

To think like a hacker, you need to figure out what you’re not supposed to do. Most people follow the rules and use your application as you intended. Hackers actively do the opposite. 

Allow me to explain with a metaphor. A while back, I went to a bar. There was a long line and a $20 cover charge to get in. I wanted to avoid both of those. Instead of waiting in line like everyone else, I walked up to the VIP hostess and confidently declared that I was on the VIP list. 

She replied, “Hi! What’s your name?”

“I’m with the party,” I said vaguely. I was not actually with any party, but I wanted her to believe that I was. 

“Which one?” 

“The big one,” I said, once again being vague. I gambled that one group was bigger than the others.

“Oh,” she said, flipping through her list, “the Smith party?”

Bingo. 

“Yes.” I smiled. “I’m with the Smith party.” 

“Great, right this way.”

With that, she opened the velvet rope, escorted me past the cashier, and welcomed me to the bar.

Access granted! I broke the system. I was a regular visitor who was given elevated privileges. I certainly didn’t achieve that by thinking like a normal person. Not at all. I did it by thinking like an attacker. 

(And don’t worry: I more than made up for my shenanigans with a big bar tab!) 

Adopt an attacker’s mindset

This metaphor is a classic example of social engineering (tricking people into taking actions they otherwise shouldn’t) rather than a technical exploit. However, it nevertheless vividly demonstrates the attacker mindset. You must apply the same ideas to break your application. 

Simply replace “bar” with “application,” and this story shows exactly how to think like an attacker. They don’t follow the rules; they figure out how to break them.

Here’s a step-by-step guide to how you can do it:

  • Set a goal. In this story, the goal was to bypass the line and the cover charge. To do that, I needed to elevate my privileges from a normal patron to VIP.
  • Learn how the system works. For example, I observed that the bar required authorization, which is when a system verifies permission to do something (in this case, enter by the VIP line). The purpose of the VIP host is to verify those permissions.
  • Gather information. To get on the VIP list, I needed to identify a group who was legitimately on it so I could associate myself with that group.
  • Identify assumptions. The system relied on several assumptions. Some groups have VIP access. A person is authorized to enter by the VIP line if they are with a valid VIP group. A person is assumed to be part of a VIP group if they can produce the group’s name.
  • Get the system to respond in ways it’s not supposed to. By using specially crafted inputs (my vague, leading statements), I got the VIP hostess to reveal secrets, such as the name of a valid VIP group. I then got her to believe that I was a member of that group. She was supposed to keep me out, but as a result of this, she let me in instead.
  • Exploit. I escalated my privileges from normal patron to VIP, thereby obtaining elevated access I shouldn’t have had. I entered the bar without paying cover or waiting in line. The system was specifically designed to prevent exactly this, and yet I was able to do it anyway — all by thinking like an attacker.

If you can break your system’s rules, you can identify the same vulnerabilities attackers would strive to exploit — and, ideally, fix them before attackers get the chance. 

Break assumptions, break the rules

Never assume that “no one would think of that,” because there’s almost always someone who will. The foundation of your security model is laid upon assumptions about how the system works and how users will interact with it. Be wary of the assumptions you’ve made: where those assumptions are wrong is where you will be blindsided by an exploitable vulnerability. 

To address that, think like a hacker. Explore the assumptions you’ve made about your application, and try to get the system to respond in ways it isn’t supposed to. This should be done by your external security consultant, in order to deliver the kind of independent, unbiased view necessary to identify blind spots. Your goal is to expose blind spots that attackers might use to their advantage; capitalizing on someone else’s viewpoint is a great way to do that. After all, that’s what your security consultant does for you: they help you think like attackers, so you can defend against them.

Posted: January 5, 2022
Articles Author
Ted Harrington
View Profile

Ted Harrington is the #1 best-selling author of "HACKABLE: How to Do Application Security Right," and the Executive Partner at Independent Security Evaluators (ISE), the company of ethical hackers famous for hacking cars, medical devices, web applications, and password managers. He’s helped hundreds of companies fix tens of thousands of security vulnerabilities, including Google, Amazon, and Netflix. Ted has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times, and Forbes. His team founded and organizes IoT Village, an event whose hacking contest is a three-time DEF CON Black Badge winner. He hosts the Tech Done Different podcast. To get help with security consulting and security assessments, or to book Ted to keynote your next event, visit https://www.tedharrington.com.

Leave a Reply

Your email address will not be published. Required fields are marked *