Head shot of Junior Developer Luke Hardiman

Kiwicon: a real security eye-opener for developers

Psoda blog author avatar
Guest Author
30 November 2016

I’ve always thought I was pretty security conscious with my own laptop, data and information – and that I could keep my own systems safe. But it only took a few hours at Kiwicon X to realise how wrong I was!!!
As a Linux fan and Mac user, I am always teasing my Windows friends at the office that you couldn’t catch malware or viruses on a Mac. Well, after what I heard at Kiwicon, I have to admit how mistaken I was…
The event was a real eye-opener for me about how insecure some of us are in the workplace and I came away from it with so much new and enlightening knowledge.
Here is some of what I learned from the talks – from a developer’s perspective (and hopefully not too nerdy):


$_GET Requests
Passwords today are still being sent unsalted/insecurely as a GET or POST request. Most web forms are still processing just plain text for passwords which allow man-in-the-middle attacks to retrieve these requests very easily.
As an example, @Amm0nRa demonstrated taking advantage of passing a script into a metroinfo.co.nz page that was meant to display errors via a GET request. With this he was able to inject JavaScript, which then loaded his JavaScript file. Now he was able to pass anything to the client, or send back unsalted passwords from the user back to a remote location.
Website showing hacked by kiwicon instead of the front page

Cross platform/Mobile

Cordova hacking is real!!! Cordova is becoming a very popular cross platform development framework. It allows developers to use HTML, CSS and JavaScript to develop mobile or desktop applications.
So with a ton of applications powered by Cordova and its JavaScript engine, it didn’t take long before users were hacking these applications. The most common exploit is JavaScript link injection. As an example Moloch & Shubs showed us a chat program (I won’t mention the program as it hasn’t been fixed) in which they created a link that contained a JavaScript code execution. Once the link was clicked by a user, it started sending message to all the user’s contacts. So now the worm was all over the chat system infecting more and more users. The worm then searched for credit card information, passwords and any information it could find about users. It also allowed for remote control access.


Phishing emails used to be old school, but today they are still happening and are even more advanced. Michele Orru from Kiwicon showed us how to launch and setup phishing in under 10 minutes.
The tools he provided were crazy – you could send out thousands of legit emails within minutes! The tool even provided tons of premade email templates that looked legit and convincing. It was also automated so all you had to do was supply a domain name and it would do all the hard work. With his tool, you can monitor who’s clicked your links, and view all their data collected. You also had full remote access of a user’s machine.

My conclusion

When developing, look at all input points of your code, from GET request to anything that could allow a cross-scripting injection. Don’t rely just on virus scanners or think you won’t get malware, as with links getting passed around today look legit but can contain JavaScript injection code.
Kiwicon was a great event and the knowledge can help anyone.

Leave a Reply

Your email address will not be published. Required fields are marked *