This website is a blog dedicated to finding security vulnerabilities in New Zealand websites and getting them fixed. I aim to publish a new post each weekend until all the websites are fixed 😉.
The Motivations
I have a few reasons for starting this blog, so bear with me.
Accountability
It wasn’t so long ago that one could find major security issues in some of New Zealand’s biggest websites without too much trouble. Often these websites’ security issues would involve leaking all their users’ personal information (and sometimes even their passwords… in plaintext). While these issues were eventually fixed, the users of these websites were never told that their personal data was compromised. I don’t think this is good enough.
Companies should have a responsibility to inform their users of a breach so that their users can take the required extra steps (like changing their passwords, etc - although, everyone should use a different password for each website but that’s another issue altogether, really). Every website has software vulnerabilities; the fact that a website is on here means that they care enough to have fixed them!
Education
This is twofold, I think there that many different kinds of professionals can learn something from reading through the posts on this website.
Defensive
Most of the vulnerabilities in websites are pretty simple ones to fix if you know what to look for. But thinking about the bigger picture here, if you’re a developer and add features to a software project, you should be aware of the common risks and pitfalls.
This blog aims to to show developers what not to do and how these issues can crop up in the wild. It’s a showcase of the OWASP Top 10 but in relatable terms; pretty much every Kiwi has used some of the websites listed on this blog. As such, despite the sensationalised titles, each post is presented in an educational style.
Offensive
And if you’re on the other site of it, I want to show you how you techniques that you can use to break websites. If I’m being honest, most of the techniques used here aren’t particularly sophisticated and can be learned in an afternoon if one is already familiar with web technologies and software development. But you can probably still learn something regardless. I’m constantly learning new things when I’m evaluating websites for issues.
I also want to encourage other hackers to do the right thing if they find a security issue on a system; the more people we have finding and reporting issues, the better the internet will be for everyone! It’s also really fun to find vulnerabilities and I encourage everyone to try it!
The Techniques
I use only the most top-secret elite hacker tools on the market (like Firefox, or Google Chrome). Seriously, all you need to find and take advantage of most websites is just a web browser. It’s not very often that I have to use something a little more sophisticated like Burp Suite.
Finding the vulnerability is often the least time-consuming part of the process. I’ll often only spend about 30 minutes evaluating a website. Sometimes I’ll find no issues and sometimes I’ll find half a dozen issues. It just depends on how much thought and investment this website has put into security.
After I find a problem on a website, I’ll write a report with enough information so that the website maintainers can fix it. This report will often include screenshots or videos if needed. I also include some possible ways that a malicious 3rd-party could abuse the vulnerability to do damage to the website. Sometimes this involves creating a proof-of-concept (PoC); there’s really nothing like a good demonstration to motivate a company into fixing an issue.
I’ll then make contact with the organisation behind the website and give them the report. To provide some motivation to fix the issues quickly, I let them know that I’d like to publish a post online based upon the report within 90 days once the issues have been fixed.
After that they’ll usually have the issues fixed pretty quickly; some of the bigger companies will only take a couple of hours to get things sorted.
The Human
I’m a software engineer based in ÅŒtautahi, New Zealand. This website is just a hobby project for me. Among other things, I tutor computer science to university students and am trying to figure out how to make the violin sound not terrible.