HackTheBox CA CTF - Using Snyk to Find & Fix Vulnerabilities
Рет қаралды 33,328
Күн бұрынSeriously, isn't Snyk SUPER COOL? Check it out! snyk.co/johnha...
Exploit Goof, the vulnerable web app! github.com/sny...
00:07 - BlitzProp HackTheBox Cyber Apocalypse CTF challenge Intro
01:00 - What is snyk?
02:36 - Snyk can be FREE!
03:34 - Connecting Snyk to Github
04:54 - Discovering Goof, the Vulnerable Web App
07:28 - Deploying Goof
09:14 - Interacting with Goof
10:00 - Finding Directory Traversal/File Access
11:22 - Snyk Vulnerability Database
13:22 - Patching Vulnerabilities with Snyk
19:52 - Pivoting back to the HackTheBox BlitzProp challenge
20:58 - Finding Prototype Pollution and RCE with Snyk
21:41 - Deploying the BlitzProp challenge with Docker
22:52 - Exploiting the Prototype Pollution vulnerability
26:32 - Using Snyk to Patch the Vulnerability
28:38 - Validating the change with our exploit
29:21 - Wrap Up & Thank You
Hang with our community on Discord! johnhammond.or...
If you would like to support me, please like, comment & subscribe, and check me out on Patreon: / johnhammond010
E-mail: johnhammond010@gmail.com
PayPal: paypal.me/johnh...
GitHub: github.com/Joh...
Site: www.johnhammond...
Twitter: / _johnhammond
@dajiru1976 3 жыл бұрын
Thanks to this guy I put my hands on keyboard, Learning all nights a bit of hacking. Thanks John.
@MakN. 3 жыл бұрын
I just started. Very fun but a bit overwhelming to begin with!
@dajiru1976 3 жыл бұрын
@@MakN. just be patient. I suggest to start with picoCTF and use Google a lot. The point is to learn. Even check the write up. Try to find a similar problem and try to solve by yourself.
@MakN. 3 жыл бұрын
@@dajiru1976 Thanks :) just done my first hackthebox today with some reverse tcp. Slowly slowly 😁👍
@ko-Daegu 3 жыл бұрын
@@dajiru1976 what picoCTF you started with what challenge?
@UnknownSend3r 3 жыл бұрын
@@MakN. what's your background before doing the first CTF
@1anre Жыл бұрын
This was both refreshing and humbling. Didn’t know such easy-to-learn tools to get into the AppSec space even existed or were this accessible. Would be great to see videos on your Career, how you knew Security was for you, & what you do to keep up to date with the latest trends in this Space.
@mossdem 3 жыл бұрын
Wow Snyk is awesome! What a great idea for security programs for startups and projects and even better it’s open-source !
@kopuz.co.uk. 3 жыл бұрын
Yeah it seems to be a pretty good info-sec service, although a bit of a logistical nightmare for the devs.
@mossdem 3 жыл бұрын
@@kopuz.co.uk. haha I can only imagine the headaches 😂
@1anre Жыл бұрын
@@kopuz.co.uk. But it clearly points out where in the Dev’s code they need to take things a bit more seriously and learn from as they develop in their software development career, what’s so bad about having such a proactive tool that still spoon-feeds you on where to look in your code specifically at your disposal?
@VivekSingh-ve5pr 3 жыл бұрын
Thanks for bringing up super cool videos frequently. i'm always excited to watch them out
@dajiru1976 3 жыл бұрын
Me too
@TomDoesTech 3 жыл бұрын
I saw the thumbnail and thought "I need to see Ed Sheeran fixing vulnerabilities".
@shabnashummer645 3 жыл бұрын
Thanks John , You make me realize how vulnerable the apps we have developed . We were only focusing on the end-user requirement .
@lepsycho3691 3 жыл бұрын
I would have prefer you to disclose the sponsorship at beginning of the video not at 20 seconds from the end. Otherwise great demo and a lot of potential from using snyk for CTF!
@1anre Жыл бұрын
When are you making your own tutorial video so that you can announce your sponsorship 10secs into the video? Secondly there nothing wrong with sponsorship as long as the tool does what it promises. Don’t see why folks think every KZbin that snags a sponsorship deal means he’s selling a bullcrap product and forcing it down people’s throats.
@lepsycho3691 Жыл бұрын
@@1anre I never said that sponsorships are wrong. But if you follow the ftc guidelines, it should be HARD to miss. Therefore, my critique stands, make it so that it is known at the beginning of the video and not the end.
@0dayCTF 3 жыл бұрын
SNYK is OP ❤️
@ameer2942 3 жыл бұрын
Hey look... Guy from THM
@kherkert 3 жыл бұрын
For next vid, please fix your mic settings. Listening through headset. Audio is clipping badly. Turn that gain down a bit 😉
@wilcosec 3 жыл бұрын
Great ad, John! Thanks for putting this together. I hope they paid you BIG $$$ for that 1/2 hour ad.
@1anre Жыл бұрын
Nah. The tool does what it’s suppose to do. Get a life
@JustFun-dj3pq 3 жыл бұрын
Super cool ! Great video as always bro
@oldGoatMilk 3 жыл бұрын
It premieres at 3am for me I have to watch it when I wake up.
@scarlett6761 3 жыл бұрын
Don’t forget to register your copy of Sublime Text 😄
@stephenmount6181 3 жыл бұрын
@John not to discredit Snyk and similar tools that I'm sure do more than check your dependency management (e.g. trying RCEs using libraries that are used like what they call ImageTragick), running `npm audit` and `npm audit fix` would capture what is in this video.
@1anre Жыл бұрын
Can you do a video to show all these clearly?
@Bananananamann 2 жыл бұрын
Now add backwards compatibility to the mix! I see how this could work in a CI/CD context on new apps though.
@ventordicissimo 3 жыл бұрын
Very interesting topic. I have to say tho, the audio is a bit clippy
@MrFontaineInc 3 жыл бұрын
This is definitely a legit tool!! I hope to see more iterations of this in the future as the importance of "shifting left" becomes the norm.
@droidsino8072 3 жыл бұрын
Thank you for everything you do 😊
@georgesotiriadis2763 3 жыл бұрын
Amazing video again john. I have a question in order to understand all that kind of web attacks is it better to know the technology like building a node app or php app and see why the vulnerability existed in first place? Like No sql injection etc.
@jorisschepers85 3 жыл бұрын
Could you use this in a King of the Hill to hold off the others?
@SirHackaL0t. 3 жыл бұрын
I enjoy your videos but your mic is either too close to your mouth or the signal is a bit hot causing distortion. :)
@joshr9730 3 жыл бұрын
Diggin the shirt, I have one myself :D
@mk_r4zy450 3 жыл бұрын
what application launcher are you using? :)
@rajarshibasak559 3 жыл бұрын
Bro, I am in depression after seeing your couple of videos.. So much I have to learn..I was thinking I know something about hacking, now it seems I know nothing😞
@1anre Жыл бұрын
Hahaha. 1yr later how has the learning journey been? Hope you’re less overwhelmed and can teach us a thing or thing from what you’ve picked over the last 1yr?
@quentinh.9978 3 жыл бұрын
Don’t sub or like non music but love the video
@logiciananimal 3 жыл бұрын
I'd love to see Snyk target Mutilidae or Juice Shop or one of those
@1anre Жыл бұрын
What are those particularly?
@logiciananimal Жыл бұрын
@@1anre Deliberately vulnerable applications for learning and illustrating vulnerabilities and flaws in software.
@michaelguier2053 3 жыл бұрын
yea synk is also incorporated into chromes dev tools.. if u run lighthouse tests it gens that report and refers u to snyk too good
@rahulsharmar1 3 жыл бұрын
Hey from where can i learn python scripting? like to automate tasks and make tools. can you suggest some good resources?
@DahlFreeman 3 жыл бұрын
Dope!
@samoconnor3633 3 жыл бұрын
I'm literally making a web app vulnerability scanner right now for my a level NEA project wow 😂
@UnknownSend3r 3 жыл бұрын
What's a level NEA project.
@samoconnor3633 3 жыл бұрын
@@UnknownSend3r I'm currently studying computer science at alevel, a part of the spec is that you have to build a piece of software which is called your NEA (non examined assessment)
@Dedseq 3 жыл бұрын
sick!
@ArthursHD 3 жыл бұрын
Nice!
@whoamisecurity9586 3 жыл бұрын
Hello 👋
@Tekionemission 2 жыл бұрын
(11:05)-Encoding
@PermisSecurity 3 жыл бұрын
ippsec vs john Hammond pls
@BlRaidX 3 жыл бұрын
You hit ignore on most of them.
@OK_NOK 3 жыл бұрын
KOTH Nuke button
@psd00m 3 жыл бұрын
@vladostema Жыл бұрын
We need some kind of script that scans real url and find how to hack it
@1anre Жыл бұрын
No you don’t.
@kbharathi1183 3 жыл бұрын
Sir is there any giveaway
@SONGOKU-tl3ht 3 жыл бұрын
Tool is cool and all, but mention "includes paid promotion"
@djorngougenhimer7455 2 жыл бұрын
Have to give it a dislike as you don't say it's a paid promotion/sponsored video till the end, basically an advertisement. Makes you look dodgy/questionable/untrustworthy Have seen a couple (read 2 or 3) your other videos and they were interesting, but this make me question your integrity.
@1anre Жыл бұрын
Nah. Flawed criticism. If he didn’t even mention it in the video in the first place, would your wise self know or will you be able to throw any tantrum then? Doubt it Enjoy the free content and move along
@_ShamsPathan 3 жыл бұрын
Someone hacked your youtube channel? Is it a deep fake video?
BalcevMMA_BOXING
Рет қаралды 7 МЛН
Grant Collins
Рет қаралды 692 М.