Description

The talk is divided into 6 chapters. In the first one, I’ll relate what an Ethical Hacker is and what he does, and I’ll also prepare the audience for the upcoming hackings tales.

Chapter 2: Hacking tales. In this chapter I’ll talk about different ethical hacker stories that happened to me recently. Each story will have the technical part about how I exploit it and what I can do in the system, the way that I communicate it to the company and their responses.

The first story is a small update about my last talk(Insert coin: Hacking arcades for fun), where we can basically get all the customer data, charge money for free and emulate all debit cards. It affects more than 2.3k installations in more than 70 countries. But the most interesting part was the in-person meeting with the company.
Second story is about a large supermarket chain. After escalating in some web servers and getting root access, I had read/write access to the customer and employee database and was even able to modify product prices among other things.
The third one is about a ticket sales and distribution company. The results were similar, getting all the tickets, customers and employees, being able to generate some free tickets and getting admin access. But the way to get access was different, and the response from the company was the best, ending in a request for pentesting and a security talk to the entire company.
A transportation company, after some idors and business logic vulnerabilities were able to get all tickets, user data and generate free tickets.
The last tale, an e-commerce platform that allows businesses to create and manage their online stores: A bunch of exposed files, some .js files with the body of apis. After reading some code, we were able to login as any user in any business(Insurance, airlines, banks) including some CEO accounts.

Chapter 3: In this chapter I’ll dive into the different tools(90% open source) that I use on a daily basis, methodologies and the most common mistakes that we can find.

Chapter 4: Different types of disclosure. I’ll explain why this is important, from the point of view of hackers, companies and the community. Below I’ll show the way I always present my reports, following the examples used by my friends and others.
Also, in this chapter I'll show the normal responses from the companies and the way to handle it, cause in some cases it can be frustrating and even threatening.
To close the chapter I’ll talk a bit about BBP and VDP.

Chapter 5 will discuss the impact we can get from good feedback from companies, seeing how more companies have improved their security posture and relationship with hackers. Also, perhaps the most important part, personal growth, recognition and learning new methods/attacks in a real world scenario.

Chapter 6: Ending and conclusions. Part of the takeaways are to encourage new generations to do ethical hacking and help generate a good relationship between hackers and companies. The idea of ​​promoting the "ethical" part arises because unfortunately every day we see more cybercriminals selling user data and other confidential information of third parties. We have a responsibility to educate, identify and work on security vulnerabilities.

Outline

• Introduction
• Whoami
• Disclaimer
• What's an “ethical hacker”?
• Hacking tales
• Conclusion from the arcade company of last year
• Large supermarket chain
• Tickets sales and distribution company
• Transport company
• E-commerce platform
• Essentials
• Tools
• Methodology
• Common mistakes
• Disclosures
• Types
• Why is it important?
• My way to report
• Other ways to report
• Handling responses from companies
• BBP/VDP
• Impact of ethical hacking
• Feedback from companies who I hacked
• Encouraging others to get involved in ethical hacking
• Conclusions
• Takeaways
• Q/A