Cenzic 232 Patent
Paid Advertising
web application security lab

What Was Your Epiphany?

A few weeks ago at RSACon I sat down with Amit Klein and asked him one question that I’ve wanted to ask for a long time. I wanted to know if there was one defining moment in his past that suddenly opened his eyes. More specifically, some event that made him realize that he had stumbled upon knowledge that would lead him down a path that only a very select few would ever travel. I wanted to know that one cathartic event that made him realize the web was extremely vulnerable. I wanted to know this because I wanted to know if there was a common thread between him and some of the other experts in the field.

Amit took his sweet time thinking of a good answer, of course telling me all the while that there was no single defining moment and that the question was harder than it sounds. Yes, yes, Amit, but out with it! He finally began to tell me the first time he messed with a binary. He went in with an editor and changed one word. Expecting it not to work, he ran it, and sure enough it did. To him that was totally amazing that it would work, and suddenly, he realized that there were probably a lot of exploitable things out there similar to that. He also told another story about how he had read the HTTP spec and realized you could put a newline in front of the first line of the HTTP request, which in the future would eventually lead to exploitation.

So then I asked the same question of Dinis Cruz:

I can probably point to three key moments:

- the first was when I was a CTO of an university and one of campus’ IT guys showed me how he was able to access (over the internet) another campus internal network (via a remote shell delivered via one of the earlier IIS exploits)
- the 2nd was when I read back to back the first Hacking Exposed book and really got an understanding of network and application exploitation
- the 3rd was when I realized that my programming background (ZX Spectrum generation, Assembly programming on Amiga/x86, etc..) really allowed me to ‘understand’ Application security (vs network security) AND to write exploits

Jeremiah Grossman also gave his story:

For myself it started almost immediately when I began developing web applications many years ago. I read all the books, walk through the examples, and built websites. Being the natural prankster that I am I immediately saw how others could potentially screw around with the way my application worked, post offense stuff, and just generally cause a poor user experience. At the time I didn’t know to even to call it "security", it was just something that could be done to a webapp. The AHA moment came when I got the feeling that my code was no better or worse than anyone elses. :)

As I just passed my 800 blog post mark, I realized I had never talked about my moment either, and what better way to talk about it than to talk about other people’s moments as well. Mine was a very vivid point in time in my memory. I had read the HTTP spec and knew the basic principles of how it worked, but one day I followed some guide and telnetted to port 80 for the first time and started typing in commands. The first time I saw a flood of headers fly by my screen was like getting hit in the face with a brick. I just couldn’t deny how powerful that knowledge was and how broken everything must be if it was that simple. I know most people look at HTTP and kinda shrug their shoulders, but for me it was an awakening that made me realize that there is almost no end to the potential and danger that it allows.

I don’t know that I can point to any one particular thread between these experts, but I do know that the net effect was the same. The realization that everything is vulnerable is a pretty profound concept. So? What’s your story?

33 Responses to “What Was Your Epiphany?”

  1. thornmaker Says:

    While in college (around 2001), my school deployed a new web app for managing student accounts and I noticed that it displayed the user name I had entered all over the place. I started thinking about how it would be cool if I could insert html and have it displayed, but surely the application wouldn’t let me just input anything.

    So I changed my username to “>

  2. thornmaker Says:

    hmm… let’s just say the injection had an opening html comment. And I was amazed that the injection worked! All of the pages were commented out from that point on, which actually really sucked because at the time I couldn’t undo it (well, it would have been possible to, I just didn’t know how to). Anyhow, that was my “aha!” moment.

  3. Giorgio Maone Says:

    When I was twelve, a schoolmate of mine bet I could never reach the last Lode Runner level.
    Next day I invited him, and he almost fainted when I show him my C64 monitor with level 150 paused. In the end I sold him the preloader I had hacked together, poking configurable start level and infinite lives :)

  4. Awesome AnDrEw Says:

    I believe there were two distinctive points at which I decided this (security) would be something that interested me. The first of which was back in late 1998 when I was running a small website, and had included a guestbook feature that was slightly modifiable, but run by the host. At the time a few of my friends also had websites, and they too enabled this option.
    I realized shortly after that I was able to use any HTML tag I pleased in the input, and that it would appear correctly on the guestbook. I then began playing with the feature, inserted CSS to change the color of everything, and eventually a META refresh tag to forward guestbook viewers to my own site. I realized it would be just as easily done to my own so I had attempted to create a simple client-side script to remove all HTML. It was very basic, but it did the job back then.
    The second period in which I believe I was truly inspired was while attempting to, and then successfully creating an all-around automated forum tool. During the project I figured out how HTTP worked, what the different methods were used for, how variables in the request could be modified and spoofed, and ended up making a very popular application. Of course the owner of the service did not take this very kindly, and instituted a policy preventing anyone from making third-party programs capable of accessing the messageboards after personally issuing a “cease and desist” order to me.

  5. Dan Weber Says:

    It was 1986 or so. I was staring at a Beagle Bros. pointer sheet, and saw the RWTS (read-write-track-sector). Something clicked, and I suddenly realized I could edit the floppy disks with saved data for Ultima III.

    Thus began a long career of modifying data.

  6. Dave Ockwell-Jenner Says:

    My epiphany was being part of the European ‘demo scene’ for a while and realizing that countless teenagers-in-bedrooms could code rings around the professionals. What hit me was that creativity and tangential thinking that these folks demonstrated was more valuable than any specification or implementation. True hacking.

  7. Gareth Heyes Says:

    Back in 1996-1997 when Altavista, AOL and MSN allow allowed me to insert html tags in their query box. I suddenly realised that everything is insecure and when I got no reply from my emails, I also realised that nobody cared….

  8. dinosaucer Says:

    dinis cruz - smart man, but please god stop letting him talk at OWASP cons.

  9. Jason Says:

    During college in the early 90s, it was the first time I telnet’d to port 25 on our VAX mail server and started sending email to friends from ‘GOD@heaven.net’ letting them know that either I knew what they were doing and they should cut it out, or that everything would be okay (depending on how I felt toward them at the time).
    I also sent email to some of my friends from reznor@nin.com or something like that telling them how much I appreciated loyal fans. I never told them it wasn’t really Trent Reznor… I wonder if they still believe…

  10. Ronald van den Heetkamp Says:

    Phew Epiphany… I guess there are lots, and kinda tough to pinpoit a key moment. If you consider hacking “an sich”, I would say that my dad was quite amazed that I made doors into a Tonka truck he gave me for my birthday when I was around 4 years old, these trucks were advertised with a elephant standing on top of the truck, they really were indestructible, but that bothered me somehow, I can’t remember it correctly but my dad told me that I made doors into it, trying to look under the hood -which wasn’t there- and later managed to removes the big tires in despair.

    Later on when I got a $99 keyboard on my 9th or 10th birthday, that only had “standard” music banks in them, I wanted to modify it to a synthesizer, because I could not afford one, so modified it myself by altering the circuits and made switches and potential meters that had different capacitors, generating really weird sounds and noises, which I liked.

    In computer hacking I think it was when I got a P2000(Z80) and wanted to get sound or music out of that thing instead of bleeps, eventually destroying the EEPROM.

    In Internet or webappsec, I guess it was when my site got hacked. i ran a porn site, and uploaded a script that could change the .htaccess through a webapp, they defaced me and send me an email, I was furious -which I regret now-, but that led me into webappsec, around 2000 orso. And from that time been lurking around.

    :D so say I guess for me the unknown and the restrictions of a system brought me here, I can admit that I’m a control freak in some sense, things must do what I want them todo. So, Epiphany… or point where I got it, I am not sure.

    Maybe I still don’t get it ;)

  11. thrill Says:

    Mine came shortly after I had purchased Arkanoid, which I used to play on my mom’s Tandy 1000 (with a 20meg hard card!!!). I copied the game to the hard drive, but any time I wanted to play it I had to insert the floppy. After checking a few BBS’ I found instructions on using DOS’ ‘debug’ to modify the portion of the program that called the function to verify the floppy was there. Shortly after that I discovered XTree and it’s amazing binary editor, which of course allowed me to edit text in many games personalizing them!

    My second one came around 1995 after we installed our first T1 and had ‘very desirable’ domain names to use on IRC. A friend asked me if I would make an account for his friend, and after I told him that if he could hack the server he could make as many accounts as he wanted. The following day I had 50+ accounts on a machine that had only had 5 the day before.. this got me really interested in buffer overflows and system/network security in general.

  12. Gustavo Cardial Says:

    I think it has happened several time, but maybe the ONE was when the website of the company I worked for was defaced. It made me really angry and confused… “How could someone possibly do that?!”

    I was determined to find out how they had achieved that, so the first thing I did was to download the HTTP logs and search for anything unusual.

    After some pagedowns, when I was almost giving up, “gotcha!” - SQL Injection exploitation.

    “So if I type THIS simple string in the navigation bar, THAT happens?”

    “…impressive!”.

    After some research on the topic, when visiting a website I always tried to look for SQL Injection and other web vulnerabilities. And I was really surprised by simply how many times it worked and gave me access to data I was never meant to ever see in my life.

    And that was the beginning of my researchs on web application security, and security in general. :~

    (It all started with a deface… depressing :/)

  13. zmx Says:

    Mine was in 2000, when “Microsoft Windows 9x NETBIOS password verification vulnerability” appeared.

    Quote:
    “But a vulnerability exists in the password verification scheme utilized by Microsoft Windows 9x NETBIOS protocol implementation. To verify the password, the length of the password depends on the length of the data sent from client to server. That is, if a client set the length of password to be one byte and send the packet with plaintext password to server, the server will only compare it with the first byte of the shared password(plaintext), and if consistent, verification process is done. All an attacker need to do is to guess and try the first byte of password in the victim.”

    I wrote a program to exploit this vulnerability and guess the password character after character. When I saw it running and the first password was cracked, something clicked inside.
    I was like: “All your passwords are belong to me :P”

  14. Greg Says:

    My moment of “enlightenment” was the first time I used telnet to send SMTP.

    I was 14 or 13 years old, and had some programming background. I was directed to toy with TCP/IP communications, and telnet felt like the natural thing to experiment with.

    So I popped up an example of an SMTP “conversation” that I found online somewhere, connected to port 25 on my ISPs mail server, and started typing in. Once I got to the MAIL FROM: directive, I simply typed in my ISP email address. I sent myself a short message, and it felt pretty cool.

    A few hours later, I checked my inbox again. I stared at the email I sent to myself earlier for some reason, and than it hit me. The sender’s address was mistyped! I couldn’t understand it. How could this be allowed? There had to be some mistake…

    A minute later I sent myself mail from other addresses on my ISPs domain, and a few minutes after that I sent myself a greeting from billgates@microsoft.com.

    The only words I find applicable to describe what I felt back than are “power trip”. I felt I knew something I shouldn’t, but I wasn’t afraid. Instead, I was more curious than ever. From that moment on, I just couldn’t stop.

  15. mohclips Says:

    Which one? I’ve had two, some of the above posters haven’t had their second one, maybe they wont…

    Epiphany 1. In ‘82-83 playing with C64 Basic and peek/poked assembly - my parents bought me a computer but no games but a book on how to copy in 100s of lines of basic to create cool (at the time) games. I realised that i could mess with the code and change all sort of things. Then moved on to change/replace the pirate bootloaders for my own ones…

    Epiphany 2. in ‘07 after 10 years in network security for large multinationals - “Security” sucks, no one cares, no one wants to pay for it, no one wants to listen to someone who can rip their networks/apps apart or even give examples on how to do it. Responsible disclosure doesnt work (not that i’ve tried the other way around). Security apps you pay 100s of 1000s (uk pounds) for are as vulnerable as the networks/apps they are supposedly protecting. Its _all_ about the bottom line and the backhanders.
    Now i’ve swapped jobs, securing apps, patching and trying to beat the pentesters is much more fun (thought not hard).

  16. Mark Says:

    ‘ or 1=1–

    Holly crap.

  17. Robert Says:

    #1
    When my father’s machine got infected with a nasty boot sector virus (after he downloaded some warez) in early 1990’s and no anti virus was capable of removing it. In addition to this it encrypted his HD and messed with his MBR making his brand new $400 200 meg HD state it was 2 gigs in size. I was amazed such things could happen and had to figure out wtf was going on :)

    #2 (sometime in 90’s)
    When I learned about the PHF and PHP.CGI exploit and how you could read files with nothing more than a browser. The ability to hack from any machine with no tools was neato!

  18. kogir Says:

    There used to be an online music service called streamwaves (http://www.timewarner.com/corp/newsroom/pr/0,20812,669445,00.html). I had a subscription, and started poking around its inner workings. It didn’t take long for me to realize none of the content was actually protected. After discovering that it was all there for the taking (no subscription required), I wrote my own interface which would cache local copies of songs as I played them (for free). I’ve been hooked ever since.

    Note: All mentioned content has been deleted, as they were only 64kbps wma’s.

  19. Rusty Says:

    In highschool, ~2000, before I had heard of xss, and crsf, and probably before the words were coined, I was playing an online game. It had a marketplace where only one link had to be clicked to purchase an item. I posted an item on it, and added an image tag to the link in one of the ingame pages that would only be seen by someone after they killed me. Sure enough, they were forced to purchase an overpriced weapon. It was a somewhat buggy game, and I learned a variety of techniques on it all the way up to SQL injection where I had god like powers over money in the game.

  20. mockTurtle Says:

    Just after finishing college, I was working as a PHP programmer and reading a lot about web security. I was paying my bills online one day and decided, just for the hell of it, to check the applications for holes. My ISP, home and student loan applications were full of xss holes. The power company used the current timestamp as its session ID. My bank had its logfiles publicly accessible as well as submitting credentials over plaintext (if javascript is disabled), and also contained a script injection hole.

    The real ‘Oh, Shit’ moment came the next day, after I’d informed my bank about their holes. Their head of security insisted that their website was secure, and refused to address the issues.

    To this day, nothing has been done about any of the reported vulnerabilities. Every time I log in to pay my bills, I get greeted by alert(document.cookie);

  21. Jim Manico Says:

    My Epiphany was (1) when Stephen Northcutt asked me to write a course on Java Software Security - then I started thinking about how many things could possibly go wrong - it was overwhelming. My second (2) epiphany was reading the Aspect guide on WebAppSec - it gave me a sense of hope that one could actually lock down a WebApp after all. :)

  22. hanfi Says:

    First thing was when I wrote a small programm that readed my input and just printed it out (was one of my first time I programmed something at all). I then “fuzzed” with it and made it brake because of my input (i then wanted understand “why” and learned what a buffer overflow is).

    For Web things, it was when i made a SQL-Injection-Save database tool for a online gaming inventory thing… Just to find out I had damn bad persistent XSS in it (doh). Basicaly teached me that making something save never works. I ony can make things save for the known bad stuff.

  23. Arian Says:

    1. Norton Disk editor. Binary manipulation..

    2. The Russian and Polish VXer scene. Binary hacking ++. Those guys were sharp. So were the demo and “dentro” coders. It was *fun* and not *security*.

    3. Found the carrier scene (anyone remember that scene? Props to Radiation King & Motiv8) which led me to L0pth and the early eEye guys. Finally, ‘hacking exposed’.

    The first time I remotely dropped a script into a profile to put a registry string in Current Version>Run key with a net user ADD command, create user, add to local admin group, and a second key in Run Once to telnet back to my server so I could confirm success of the net user ADD command…

    I had remotely owned an NT Server on a corporate network, and was local admin. OMG, this was easier than hacking Netware profiles. (It was, for the record, to flush a print queue to enable a local salesperson to print some stuff for clients. Sysadmin was not being helpful)

    The funny thing is that I had been building web apps, and was still doing web software on the side of my consulting, and I never put the 2 & 2 together of hacking + web apps until around 1998 or 1999 when I was in charge of apps with real money in them. I had a lot of interested Russians (and a few Chinese and South Americans).

    I saw some crazy stuff in the logs of one of my financial apps, went home, played with that while I ordered a pizza online, and next thing I know I’m in full control of the application. Too many holes to count (probably 12 of the WASC 24).

    I contacted the company, the CIO, got the official response (they use SSL, they are *secure*), asked them to remove my credit card data please, or would they like me to do it, since it’s directly exposed to the internet?

    After the letter from their attorney, I realized “oh, crap, I’m a hacker”, never bought pizza from them again, never poked around unauthorized again, and realized software security was going to be a trade skill for a while.

    Probably half of us have a story like that last one in our storybox.

    Fun thread man, but missing the beers that should go with it. Beer + ‘The Moment’ stories == 4x length, ++ embellishment

  24. Julian Calaby Says:

    My moment was when I was hacking around with TCP and UDP using Winsock in VB5 and discovered that I could bypass my school’s internet authentication with a painfully simple app. (Netware, ClientTrust)

    Fun times.

  25. Birdie Says:

    My moment was in 2006, when I read a csrf tutorial, where they used html and javascript to automatically submit a form to change the profile if logged in.

    And I was like wtf, internet is flawed.

  26. Rotem Bar Says:

    I all life created and breaked things up, The Momenyt I got really into the security business was in two phases.

    The first - I got to the army and needed to pick from MF, Network Security, Microsoft Systems or Management Systems. Security picked me.

    The Second - I found myself in a “hacker” conference when I knew nothing about it. I got bored from the speeches so I went back to the advertising area and started playing with a system that had an sql injection. I didn’t know much so just fooled around with it and looking at other people what their doing. After the conference I went home and a friend called me and told me I won first prize.

    That’s the entry point that told me this is a fun job :)

  27. Eponymous Says:

    In general, poking and peeking the PC speaker on Apple ][c/e/gs circa 1986 or so…spiraled me off into both electronic music and computer interests. I had no manuals or anything, just looking at others’ code and wondering what certain commands were, and how BASIC programs made their sounds and graphics. For web, it was being pissed at lynx in 1994 and having someone show me how to run NCSA Mosaic.

  28. Kyran Says:

    For me it was actually finding the XSS cheatsheet shortly after RSnake initially put it up. I had not done too much in technology aside from random low-level technician style work until that point. I then realized, not only are OS’ vulnerable, software of all kinds are; including web applications. And poof. Here I am.

  29. mustikos Says:

    well, one of the moments was when my father had gotten an answering machine for the company he worked and brought home a remote he used to play into the machine, over the phone, to send it commands. I copied the sounds into my mini-tape recorder and called the answering machine and at one point recorded the playback sound onto the message so for the rest of the weekend, the machine constantly rewound replayed, rewound, replayed… etc..

    another moment was when I wrote a script into a page, when you went to the page, it opened 1,000 windows, if you didn’t catch it in time, ur computer would crash, out of memory.. I would see my friends ICQ name turn from blue (online) to red (offline) and I knew they had a problem.. as well I used to have an html page referencing to a floppy drive (a:) for the background image and the person visiting the page, would have their floppy drive spin up.. the page said “INSTALLING A VIRUS TO A:” as a joke.. scared some people and of course I let them know it was a joke..

    another time I called 1800-555-1212 and asked for Yahoo’s number. I ended up with a modem on the other end, so I dialed in with my 9600 baud modem and ended up connecting to the internet with Username:guest Password:guest ..

    I guess there are a few, but the defining moment, I think each one builds up to it

  30. krazl Says:

    It’s all started when I play online games when suddenly someone from my country gaining all top ranks by hacking. Suddenly i realize, everything could be hack and starting my own research.

    So I started with e-commerce hax (earn some free bus ticket :) ) and gaining access to many db-driven web :p

  31. Sergey Vzloman Says:

    I started from web development… meny years ago i had started from development of web 2.0 sites (using iframes.. :) before web 2.0) i had many problems with browsers security, and this was the time when i found solutions :)

    i have writed about this meny years ago, about browsers expoiting, xss(access to local files), csrf(sending requests), web worms(mail.ru - web interface worm). But every times peoples said that this is not hacking.

    Passed 4 years and now i understod that they was wrong. Web applications security is most interesting side of network security because there we are using exploiting of app. flow and processing of data!

    We had made many work to do internet safer, thanks 2 all. enjoy… :)

    With best regrads, digital scream/dgtlscrm, Sergey Vzloman, 0xfa60, Vlad Mysla, i dont remember all names :)

    unsecure by defaults

  32. Meatball Says:

    The digital battlefield became real to me shortly after learning about the need to have a firewall. A week or so after installing ZoneAlarm I noticed what looked like probes from a single IP in the logs. I got angry at their audacity in “attacking” my personal computer right in my home, so I decided to tell them to bugger off by running a complete port scan on them. During the scan they pinged me, which told me that they had detected my scan in realtime and someone really was “after me”. I shut down the computer for an hour then promptly forgot about the incident. The next morning I was awakened by the police who came up to the condo accompanied by a complainant with a short, military style haircut. They drummed up a complaint about suspecting my car had hit his car parked out front. I’ve always wondered who he was. I figure I’ve got a black mark by my name in some clandestine database so if any of you come across that, feel free to delete the record LOL

  33. not putting my real name for this Says:

    I was 15 years old in high school. I didn’t know that much, I’d written a lot of programs over the years in perl, but security and hacking was an alien field that i didn’t know about or think about. I was bored in the school’s computer labs a lot, because i had finished my work faster. Or maybe I was just slacking, I don’t know. They had these windows 98 and windows 2000 systems where we all had logins and 4 digit passwords randomly generated (which even then seemed incredibly stupid…). I would go into “network neighborhood” and look at all the computers that were sharing files and printers in the entire school system’s WAN, all of which were helpfully labeled by school, building, room number, and computer number. Most could be accessed by student accounts’s permissions, though a few were properly blocked from me. This is where I found my first copy of Ethereal and nmap, on of the network people must’ve left it on the share. On a computer named “Office-2″ I found a Microsoft Access Database file, completely unprotected. I opened it up. I stared in shock every single one of my classmate’s SSNs, home addresses, home phones, and full names were listed. Available to any student in the school, no hacking required. That scared the HELL out of me. I decided to keep people from being able to just see this kind of information. I logged in with an elementary school account (they were different, just the name of the school as both the username and password, as they didn’t have unique access per student). This provided me the anonymity (i felt at the time) to delete it. And so I did. I’ve never told anyone about this before that. I guess the school people didn’t notice it’s disappearance, I don’t know.