00:00:00,060 --> 00:00:04,620 Hey guys, hackers, Floyd here. And in this  video, we're going to get started with the web   00:00:04,620 --> 00:00:09,180 application penetration testing series. Alright,  so a lot of you guys have been asking for this,   00:00:09,180 --> 00:00:15,000 mostly because you want to learn the art of bug  bounty. And here is the series. So have worked   00:00:15,000 --> 00:00:19,770 really, really hard on, you know, making it as  comprehensive as possible, we're going to get   00:00:19,770 --> 00:00:24,180 started with setting up burp suite. So for those  of you who don't know, what works, who it is,   00:00:24,180 --> 00:00:28,860 burp suite is essentially an integrated  platform for performing security testing   00:00:28,860 --> 00:00:34,800 of web applications. Alright, so the first thing  you need to understand is that it will allow us to   00:00:34,800 --> 00:00:40,920 intercept the data being sent between your browser  and the web application. So it's, it's a great way   00:00:40,920 --> 00:00:46,140 of understanding how data is being transferred,  and how data can be manipulated, be manipulated,   00:00:46,140 --> 00:00:52,260 between the client, and obviously, the web  application. Okay, so the tool we're going to be   00:00:52,260 --> 00:00:57,330 using, as I said, is burp suite. And I'm currently  running power to us. So don't worry, if you're   00:00:57,330 --> 00:01:01,830 running Windows or Kali Linux, it doesn't really  matter, all we need to do is just download and   00:01:01,830 --> 00:01:06,810 install burp suite, it's pretty simple to get set  up, you don't have to register, you just download   00:01:06,810 --> 00:01:12,270 the free community version. Now, obviously down  the line, you might choose to buy the professional   00:01:12,270 --> 00:01:18,990 version, which I do recommend and I have used,  but I don't use it as often I'm not, you know,   00:01:18,990 --> 00:01:28,170 specifically a web penetration tester, I'm more of  a more of an of a web server penetration tester.   00:01:28,170 --> 00:01:34,350 So I really work with a different vectors. So  by default, you can choose to bite that one to   00:01:34,350 --> 00:01:39,150 become experienced. And you know, you've chosen  whether this is the path that you want to pursue,   00:01:39,150 --> 00:01:44,460 it's a fantastic path. I know a lot of people who  you know, make good money with bug bounty. So you   00:01:44,460 --> 00:01:48,480 know, it's something that you can look into  as well. Alright, so let's get started with   00:01:48,480 --> 00:01:53,730 setting up the proxy. Alright, so this is the  intercepting proxy that allows us to, obviously,   00:01:53,730 --> 00:02:01,050 to intercept the data being sent to and from the  client and the, the web, the web application.   00:02:01,050 --> 00:02:05,670 So to do that, we need we can just do it through  Firefox. So the browser I'll be using is Firefox,   00:02:05,670 --> 00:02:10,320 you can use whatever you want. And by default, you  want to go into your preferences that can be found   00:02:10,320 --> 00:02:16,980 here preferences, there we are. And you want to  go all the way into the bottom here. That way it   00:02:16,980 --> 00:02:22,110 has the network proxy, and make sure you go into  settings, and you want to go into manual proxy   00:02:22,110 --> 00:02:27,060 configuration. Alright, so this is where we're  going to configure it to be the localhost with   00:02:27,060 --> 00:02:33,510 the port set at 8080. All right, and then you want  to make sure that this, you use the server proxy   00:02:33,510 --> 00:02:38,550 for all protocols. So that is the proxy we're  going to be using and just hit OK. Alright, and   00:02:38,550 --> 00:02:43,590 once that's done, you should be good there. Now  what you want to do is just open up burp suite, so   00:02:43,590 --> 00:02:49,890 you can search for it, or I have it already on my  on my little Taskbar here. And I don't think I've   00:02:49,890 --> 00:02:54,990 updated it for a while. So I probably need to do  that later. But for now, I'll just close that the   00:02:54,990 --> 00:03:01,230 update prompt and it's going to prompt you Welcome  to burp suite. And it's going to say not depending   00:03:01,230 --> 00:03:05,640 on the version that you've chosen to select  whether you've chosen the community version,   00:03:05,640 --> 00:03:10,470 which is what I have here, or the free version, as  it's called, and you then have the pro version. So   00:03:10,470 --> 00:03:16,770 by default, the community version only allows  you to use a temporary project, if you have the   00:03:16,770 --> 00:03:21,390 professional version that allows you to save your  project, which is, you know, great functionality   00:03:21,390 --> 00:03:27,480 as well. So just hit next and you just want  to use the verb defaults. And just hit start.   00:03:27,480 --> 00:03:32,520 And just give that a few seconds to start it up.  Alright, and I'll explain the interface generally,   00:03:32,520 --> 00:03:37,200 but we'll be looking more into how burp works.  In the next video, I just want to get you set up   00:03:37,200 --> 00:03:42,930 with birth in this video, and you understand what  exactly is going on. Alright, so welcome to birth.   00:03:42,930 --> 00:03:48,120 Now by default. Again, it may seem a little bit  intimidating mostly because if you're a beginner,   00:03:48,120 --> 00:03:53,310 you have not heard of any of these of these words  here and you don't really know what they're doing.   00:03:53,310 --> 00:03:58,620 Alright, so by default, you have your target proxy  spider scan into the repeater, sequencer, decoder,   00:03:58,620 --> 00:04:03,450 compare extender, your project options, your user  options, and alerts, we'll be going through all   00:04:03,450 --> 00:04:10,920 of this as we as we, you know, perform real  world testing on our on our vulnerable on our   00:04:10,920 --> 00:04:15,360 vulnerable target, I'll be showing you how to  set up a dam vulnerable web application soon,   00:04:15,360 --> 00:04:21,180 and many others but for now just focus on burp  suite. Alright, so by default, you want to just   00:04:21,180 --> 00:04:27,770 go into proxy. Alright, and for some reason, I  already have some data here. So you know what, I'm   00:04:27,770 --> 00:04:32,810 just going to leave that as it is, I just want to  turn our intercept off. So we're not intercepting   00:04:32,810 --> 00:04:39,230 any traffic as of yet. And you want to go into  your options. And you want to make sure that your   00:04:39,230 --> 00:04:44,660 proxy listeners, as you can see, burp proxy uses  listeners to receive incoming HTTP requests from   00:04:44,660 --> 00:04:50,450 your browser. So you want to make sure that your  proxy is set as the as the one we set in Firefox,   00:04:50,450 --> 00:04:56,660 which is the localhost 120 7.0 point 0.1 and the  port is 8080 and make sure that that is running.   00:04:56,660 --> 00:05:01,280 Alright, you can also create your own and add it  here and you're going to To remove it, so you get   00:05:01,280 --> 00:05:07,490 the idea. Now by default, if I just go back to  my intercept, if I just go back to my browser,   00:05:07,490 --> 00:05:12,170 and this is where the real magic happens,  if I just, you know, if I just open this,   00:05:12,170 --> 00:05:18,620 and I type in a simple test site example.com, and  I just hit enter, alright, it's going to load it   00:05:18,620 --> 00:05:24,050 up here. But if we're going to burp suite, and I  go into HTTP history, you can see that by default,   00:05:24,050 --> 00:05:30,350 there are some Firefox portals. You know, some  get methods here. But we'll be looking at all of   00:05:30,350 --> 00:05:38,710 these methods or requests. By default, you can see  that the example.com, the example.com, one would,   00:05:38,710 --> 00:05:42,830 you know, that we ended, you can see there is a  get request. And furthermore, if you go down to   00:05:42,830 --> 00:05:48,200 the bottom here, you can see there is some more  information regarding now what a request are sent   00:05:48,200 --> 00:05:56,300 to the web application. Or so by default, you can  see that the host was example.com. And it gives   00:05:56,300 --> 00:06:02,060 you more information, like the Accept language,  the encoding, the connection. And if you look at   00:06:02,060 --> 00:06:08,240 the headers, you can see that the header shows,  you know very clearly, you have your get host,   00:06:08,240 --> 00:06:15,020 use agent accept language, the Accept encoding,  connection, etc, etc. So you might be a little bit   00:06:15,020 --> 00:06:20,030 confused if this is your first time hearing about,  you know, headers, and the request and response   00:06:20,030 --> 00:06:25,430 pairs. But don't worry about that we'll get to all  of this for now, if I just go back into intercept,   00:06:25,430 --> 00:06:33,170 and let me just open up my browser here. And  we open something like the my web, my website,   00:06:33,170 --> 00:06:39,080 would you say it just like.com. So before we do  that, I just want to hit intercept on. Alright,   00:06:39,080 --> 00:06:45,110 so now it's going to intercept actively. And we  just go into Hs pro.com. And I hit go. Alright,   00:06:45,110 --> 00:06:50,900 now by default is going to tell me that  essentially, the mic connection is not secure,   00:06:50,900 --> 00:06:56,750 don't worry about this, just go into your and  just add this as an exception. There we are   00:06:56,750 --> 00:07:02,240 made confirm exception. And now it's still not  going to load the website. And the reason being   00:07:02,240 --> 00:07:07,280 is we have not forwarded the request. And they are  being intercepted by burp suite. Alright, so if I   00:07:07,280 --> 00:07:13,430 go into back into burp suite, you can see that it  has started the intercept process. And by default,   00:07:13,430 --> 00:07:20,660 you can see that we need to forward we need to  forward the request here. So if I just forward it,   00:07:21,290 --> 00:07:25,520 let me just for that again, there we are, let  me just for them for hackers out there. Yeah,   00:07:25,520 --> 00:07:31,190 that's the correct one. So all for this again.  And there. We also know hackers blade should   00:07:31,190 --> 00:07:35,870 be up and running. And as you can see, I should  have loaded the site. Give that a few seconds.   00:07:35,870 --> 00:07:41,090 There we are. Alright, so as you can see, that  is how you intercept the data that is being sent   00:07:41,090 --> 00:07:46,580 from the client to the web application. And  furthermore, that's how you, you can analyze   00:07:46,580 --> 00:07:51,830 the data being sent, and furthermore manipulated  to obviously find vulnerabilities within the web   00:07:51,830 --> 00:07:56,780 application. Alright, so irregardless of all  of this, I know, this was very, very basic,   00:07:56,780 --> 00:08:01,640 and it's not really covered anything in terms  of web application penetration testing. But   00:08:01,640 --> 00:08:05,990 don't worry about that, you know, we start off  really, really simple. And we build on that.   00:08:09,730 --> 00:08:14,170 We're going to get started with spidering, more  specifically spidering, with burp suite. And,   00:08:14,170 --> 00:08:18,670 you know, the purpose of this video or this  tutorial, is to help you understand the   00:08:18,670 --> 00:08:23,470 spidering process and how to go about doing  it with a burp suite. Alright, so there's   00:08:23,470 --> 00:08:27,760 going to be a little bit of theory here, but  I'll be explaining a lot of things. So again,   00:08:27,760 --> 00:08:33,580 this video is really focused on understanding  spidering. Now, before we get started with that, I   00:08:33,580 --> 00:08:38,560 just wanted to let you know that the target or our  web application that we're going to be targeting,   00:08:38,560 --> 00:08:43,870 we're going to be attacking is the damn vulnerable  web application. Now, if you don't know what the   00:08:43,870 --> 00:08:47,890 damn vulnerable web application is, that's fine,  you can just Google it. And I'll probably make a   00:08:47,890 --> 00:08:52,990 video on how to get it installed on Kali Linux.  But what I would recommend if you're, you know,   00:08:52,990 --> 00:08:57,370 beginner, or even if you're a professional in  hacking, probably one of the best things that you   00:08:57,370 --> 00:09:02,920 need to have, you know, in your kit is Metasploit  able to write and for the simple reason that it   00:09:02,920 --> 00:09:07,720 contains, first and foremost a vulnerable  operating system. And secondly, it contains   00:09:07,720 --> 00:09:14,440 all the vulnerable web applications that we will  be using at one stage during this series. Okay,   00:09:14,440 --> 00:09:18,550 so we're going to be starting off with the  damn vulnerable web application. As I said,   00:09:18,550 --> 00:09:23,530 it comes pre installed with meta splittable, too.  So all you need to do is get the local IP address   00:09:23,530 --> 00:09:28,090 on your mat, exploitable to virtual machine,  which in my case is 190 2.1 68 point 1.1 a dupe.   00:09:29,740 --> 00:09:33,550 So what I'm going to do is I'm going to open up  my browser, and I'm just going to open up that   00:09:33,550 --> 00:09:40,090 webs that IP address point 1.1 or two, and just  give it a few seconds to load up. As you can see,   00:09:40,090 --> 00:09:45,550 there we are, that's made exploitable too. And  it's going to prompt us to select what vulnerable   00:09:45,550 --> 00:09:51,430 web app we want to use. In this case, we're going  to select the DV w A, which is the dam vulnerable   00:09:51,430 --> 00:09:56,260 web application. So just click on that and it's  going to ask you for your admin and password in   00:09:56,260 --> 00:10:01,090 this case for your username and password Sorry  about that, in this case Your username is admin   00:10:01,090 --> 00:10:06,280 and the password is password. Alright, so just  hit login, and it's going to log you into the   00:10:06,280 --> 00:10:12,430 damn vulnerable web application. Now we'll be  looking at this at a more in a later video. And   00:10:12,430 --> 00:10:17,470 the reason is we have to go through all of these  options. But for now, if you go to the login,   00:10:17,470 --> 00:10:22,330 just remember where it was, if I can just go  to the security, so to the dam vulnerable web   00:10:22,330 --> 00:10:26,990 application security, at the moment, it was high,  because I was actually performing some tests on   00:10:26,990 --> 00:10:31,460 it, but just change it to medium or low. But for  now, you wouldn't be using it. I was just letting   00:10:31,460 --> 00:10:36,680 you know what web application we're going to be  using. Alright, that being said, let's move on   00:10:36,680 --> 00:10:41,750 to burp suite. All right, and we can I can start  explaining the spidering process. Right. So let   00:10:41,750 --> 00:10:46,460 me just open up burp suite. So I've updated it to  the latest version. I think I'm running Catalina   00:10:46,460 --> 00:10:51,140 next now in the previous video, I was running  parrot. So I think there should be an update,   00:10:51,140 --> 00:10:56,330 but I could be wrong. So let's just give that a  few seconds to start up yet there is an update. So   00:10:56,330 --> 00:11:01,760 I'll do that later. And we'll just click on create  our temporary project and use the bap default and   00:11:01,760 --> 00:11:07,310 start that. Okay, so once that starting, let  me explain what spidering is right now the   00:11:07,310 --> 00:11:14,480 purpose of spidering is to identify our scope,  alright, or what, what we want to scan. Now this   00:11:14,480 --> 00:11:19,340 is not exactly scanning, and we'll be looking at  scanning. But essentially spidering is the process   00:11:19,340 --> 00:11:25,400 of mapping out our web application, and is very,  very useful for finding links and and web forms,   00:11:25,400 --> 00:11:31,070 which is also very important because it will  allow us to then furthermore, attack the web forms   00:11:31,070 --> 00:11:36,830 manipulate headers, etc, etc. Right now, when you  talk about automatic spidering with burp suite,   00:11:36,830 --> 00:11:43,400 it essentially when when burp is spidering,  it follows links and it will, it will start   00:11:43,400 --> 00:11:48,920 following links and it will start identifying for  files, folders and forms from the web application.   00:11:48,920 --> 00:11:55,070 And it will, the great thing about this is it will  record all the requests and responses while it's   00:11:55,070 --> 00:12:02,090 performing the the old spidering process. Okay,  so once you have a burp suite opened up here, you   00:12:02,090 --> 00:12:07,160 can let me just expand it. So we have a greater  picture of what's going on exactly. Sorry, if my   00:12:07,160 --> 00:12:12,380 virtual machine is a little bit slow, I need to  configure it correctly. Anyway, what you want to   00:12:12,380 --> 00:12:17,150 do is we have looked at the proxy check section,  let's look at the spider section. And in here,   00:12:17,150 --> 00:12:21,230 this is a very, very simple menu and to understand  it, you can see that we have two tabs available,   00:12:21,230 --> 00:12:27,320 we have the control tab and we have the options  tab. Alright, the control tab. Essentially,   00:12:27,320 --> 00:12:31,340 if we just click if I just look, if we look at it,  as you can see, these settings are used to monitor   00:12:31,340 --> 00:12:37,700 and control the web spider. So it allows you to  stop to start and stop the burp spidering. And   00:12:37,700 --> 00:12:43,100 you can also clear the cues. Alright, when you  look at the options, which is right here, sorry   00:12:43,100 --> 00:12:46,760 about that, when you look at the options, there  are a lot of options, we'll be looking at them,   00:12:46,760 --> 00:12:52,850 I will be looking at them in a second. Sorry  about that, I actually got an email, apologies   00:12:52,850 --> 00:12:58,550 that. Let's get started. Now with the control  section. So the control section, it will all   00:12:58,550 --> 00:13:04,430 we are able to control the spider status where we  can stop it and started and you know, furthermore,   00:13:04,430 --> 00:13:10,460 we can clear the cues that already exists there.  Alright, we then have the spider scope where we   00:13:10,460 --> 00:13:16,010 can, we can define our own scope. And depending  on what we want to spider, we look at that in a   00:13:16,010 --> 00:13:23,660 few seconds. And finally, we look at the well if  we look in the Options section here, we have the   00:13:23,660 --> 00:13:29,450 crawler settings which allow us to specify the way  the spider is going to crawl for the web content   00:13:29,450 --> 00:13:34,160 on the web application, we'll be looking at the  maximum link depth and what that means passive   00:13:34,160 --> 00:13:40,790 spidering that allows us to essentially spider to  continue spidering when we are looking through or   00:13:40,790 --> 00:13:46,430 we're going through the web application, we're  performing requests and responses when we're   00:13:46,430 --> 00:13:50,720 performing requests. As for the form submission,  this is probably something that we'll be looking   00:13:50,720 --> 00:13:55,340 at in the next video and we'll be doing this.  Practically we will be actually performing the   00:13:55,340 --> 00:14:02,180 we'll be performing the spidering process. But  for now, let me see what else Yes, the request   00:14:02,180 --> 00:14:09,170 headers. The request headers are used to you can  manipulate essentially the headers. If you've   00:14:09,170 --> 00:14:13,880 learned about HTTP headers, by the way, I really  want to cover HTTP because it's very important   00:14:13,880 --> 00:14:18,050 that you understand how the ad is work. But we'll  be looking at this all in advance. But now let's   00:14:18,050 --> 00:14:25,430 start off with the spider status. Well, not really  with the spider status. But looking at the control   00:14:25,430 --> 00:14:30,170 tab. If you look at the spider scope, you can see  that you can it will use the default suite scope,   00:14:30,170 --> 00:14:35,120 which is defined in the target tab. If you just  click on use a custom scope, you can see that   00:14:35,120 --> 00:14:41,000 Okay, first, you over, if you just click on this  little cog here, you can restore the default, you   00:14:41,000 --> 00:14:45,680 can load your own and you can save the options.  So that's just to do with that. Now when you talk   00:14:45,680 --> 00:14:52,740 about using the advanced scope here is where you  can essentially this is where you specify what you   00:14:52,740 --> 00:14:59,520 want to map so you can specify a host, the port,  etc, etc. Okay, again, we'll be looking at all   00:14:59,520 --> 00:15:04,620 of this as We move along. But for now, we're just  going to use the default suite scope, we can just,   00:15:04,620 --> 00:15:09,060 if once you click on that, it's going to start the  spidering process, but we don't need it right now.   00:15:09,060 --> 00:15:13,380 So I'm just going to come just going to pause  it. And if we move on to the options now the   00:15:13,380 --> 00:15:18,270 Options tab has a lot of stuff that we need to  look into. First and foremost, we have the CRO,   00:15:18,270 --> 00:15:23,940 the crawler settings. Alright. So when you're  talking about the basic options, for example,   00:15:23,940 --> 00:15:30,270 we can specify what the spider will crawl for.  So it you can choose to select for robots,   00:15:30,270 --> 00:15:34,980 the robots dot txt file, which is very important  because it shows you, you know, exclusions,   00:15:34,980 --> 00:15:41,220 you then can detect, you can ignore the links to  non text content, you can request the root of all   00:15:41,220 --> 00:15:45,270 directories very important stuff. But again,  you can customize this to your liking. Now,   00:15:45,270 --> 00:15:48,870 one of the things I would recommend that you'd  not touch with, if you do not know what you're   00:15:48,870 --> 00:15:55,830 doing yet is the maximum link. That's right, the  maximum link depth is essentially the number of   00:15:55,830 --> 00:16:03,720 links you want the spider to, to essentially, to  crawl or to map. Now by default five is in my,   00:16:03,720 --> 00:16:09,510 in my, in my situation, or in my case, what I  like doing is alternating between three to five,   00:16:09,510 --> 00:16:15,360 anything higher than that will usually overload  the web application, and it will cause it to lag   00:16:15,360 --> 00:16:21,060 or to respond very, very slowly. And, you know,  again, that might not mean a lot right now,   00:16:21,060 --> 00:16:25,440 but trust me, when you'll actually be performing  the penetration test on the web application,   00:16:25,440 --> 00:16:32,790 you really need a good response. Otherwise,  you have your time to live, etc, etc. Okay,   00:16:32,790 --> 00:16:36,450 so let's look at what passive spidering is,  alright, so as passive spidering. And said,   00:16:36,450 --> 00:16:42,720 is essentially just, it allows you to continue  scanning, you know, or going through, or   00:16:42,720 --> 00:16:50,160 actually performing your requests how as as it, it  essentially allows you to continue the spidering   00:16:50,160 --> 00:16:54,900 process as you're performing any other tasks.  So as you can see, passes by during monitors,   00:16:54,900 --> 00:17:00,180 monitors traffic through the burp proxy to update  the sitemap without making any new requests,   00:17:00,180 --> 00:17:05,610 right. So passively spiders you browse, you can  also select the link depth associated with proxy   00:17:05,610 --> 00:17:09,390 requests now this, I would recommend keeping  it at zero to two. And that's because again,   00:17:09,390 --> 00:17:14,490 you do not want a very, very deep alert link  depth in the sense that you're also going to   00:17:14,490 --> 00:17:18,750 be performing your own requests, and you'll be  doing many other things you could be looking   00:17:18,750 --> 00:17:22,590 at the decoder or you could be looking  at, you could be focusing on the target,   00:17:22,590 --> 00:17:28,050 and you don't want it again to to slow  down the web application. Alright,   00:17:28,050 --> 00:17:32,310 so form submission. Again, this is something that  I said we'll be talking about in the next video,   00:17:32,310 --> 00:17:36,750 because it is quite advanced. And we'll get  started with the damn vulnerable web application   00:17:36,750 --> 00:17:42,900 there. Moving on to the spider engine, we'll be  looking at application login as well. But for now,   00:17:42,900 --> 00:17:50,010 just we'll just keep over that when we talk  about the spider engine. Alright, these settings   00:17:50,010 --> 00:17:55,710 control the engineers for making HTTP requests one  spidering. Right. So this allows you to change the   00:17:55,710 --> 00:18:01,740 number of threads you want to use. And as I said,  using more than we can see right now it's at 10,   00:18:01,740 --> 00:18:06,840 what I would recommend is still keeping it within  the range of two to five are all you might,   00:18:06,840 --> 00:18:11,940 you might cause the web application to slow  down. And these are more advanced settings that   00:18:11,940 --> 00:18:15,930 you can use dependent on timing. All right,  and we've talked about the request headers,   00:18:15,930 --> 00:18:22,170 they allow you to modify the way the spider will  we look towards the web applications, for example,   00:18:22,170 --> 00:18:28,350 you could you could edit the the device that is  being used. And you could change it, for example,   00:18:28,350 --> 00:18:33,990 into a mobile device and you get the idea you you  essentially allows you to to change the request   00:18:33,990 --> 00:18:39,750 headers. And from that, obviously, you'll get  a response back, dependent on what you changed.   00:18:39,750 --> 00:18:46,170 Alright, so that was the spidering, or actually  the theory revolving on spidering. Now we'll   00:18:46,170 --> 00:18:51,420 be looking at how spidering really works in the  next video. I know some of you may not like this   00:18:51,420 --> 00:18:56,040 that I actually went through through theory, and I  haven't talked about doing anything. But remember,   00:18:56,040 --> 00:19:00,390 it's very, very important to understand what  exactly is happening behind spidering. And   00:19:00,390 --> 00:19:03,660 in the next video, we'll actually get  started with the spidering process.   00:19:07,920 --> 00:19:13,530 Get started with brute forcing with the rates  or our vulnerable web application of choice is   00:19:13,530 --> 00:19:18,000 going to be the damn vulnerable web application,  as we discussed in the previous video, alright,   00:19:18,000 --> 00:19:21,660 and I'm going to be using meta exploitable  to as our as my server. By default,   00:19:21,660 --> 00:19:26,100 you can install medispa, you can install the damn  vulnerable web application on your Kali Linux,   00:19:26,100 --> 00:19:31,770 and you can host it on your local on your local  server. And you can you can then perform your   00:19:31,770 --> 00:19:36,330 attacks. But I like running it from another  virtual machine. And as you can see, I'm running   00:19:36,330 --> 00:19:41,100 it on the Metasploit able to virtual machine. And  by default, it's connected to my local network   00:19:41,100 --> 00:19:47,520 and it's bridged. So you can see that my local IP  address is 190 2.168 point 1.1 or two. Alright, so   00:19:47,520 --> 00:19:52,260 I already have the damn vulnerable web application  open as you can see it is running on the that IP   00:19:52,260 --> 00:19:58,230 address of the meta splittable to virtual machine  on the the damn vulnerable web application. So for   00:19:58,230 --> 00:20:02,220 those of you asking why I'm using Metasploit able  to instead of meta splittable. Three, it's because   00:20:02,220 --> 00:20:07,860 Metasploit able to has a much larger choice in  terms of vulnerable web applications. And it's   00:20:07,860 --> 00:20:12,180 really good for practicing. Alright, so make  sure you're logged into your damn vulnerable   00:20:12,180 --> 00:20:17,250 web application, you need the default username  is admin and the password is password. Alright,   00:20:17,250 --> 00:20:21,660 it's really very simple. Alright, by default, In  this video, we're going to set our security level   00:20:21,660 --> 00:20:25,500 too low. If you don't know how to do that, you can  go into your deverbal web application security.   00:20:25,500 --> 00:20:30,660 And you can set that too low, and you can just  hit submit. The reason we're setting it too low is   00:20:30,660 --> 00:20:35,580 because most logins Are you know, if you look at  the real world, if you're talking about big sites,   00:20:35,580 --> 00:20:39,810 this attack may very well work on sites that  are older, or sites that have not been updated,   00:20:39,810 --> 00:20:44,670 or sites that don't have good security, you'll  be shocked to find some really big companies   00:20:44,670 --> 00:20:50,370 that actually don't have any login protection,  or brute force protection for that matter. Now,   00:20:50,370 --> 00:20:54,420 that being said, what I was talking about is if  we go to brute force, you can see that we have   00:20:54,420 --> 00:20:58,800 a login prompt here. Now I forgotten the username  and password, and we're going to be brute forcing   00:20:58,800 --> 00:21:03,420 it live. Alright, but before we do that, we  need to actually start our birth. Alright, so   00:21:03,420 --> 00:21:08,190 start up that suite. And you can see I'm using the  Community Edition. And it is the latest version,   00:21:08,190 --> 00:21:12,270 right? So make sure that yours is the latest  version, obviously, for obvious reasons. And   00:21:12,270 --> 00:21:17,130 we're just going to start a temporary project  because I don't use the pro version. And we're   00:21:17,130 --> 00:21:22,320 going to hit use the birth defaults when you start  work. Alright, give that a few seconds to start   00:21:22,320 --> 00:21:27,180 the to start back. And now you want to make sure  you you're using the proxy. So we're going to go   00:21:27,180 --> 00:21:33,630 into preferences, and advanced and whoops, burp  is oh opened up, let me just go into my proxies,   00:21:33,630 --> 00:21:37,380 network settings. And we make sure that  it's using the manual proxy configuration,   00:21:37,380 --> 00:21:45,480 which is the localhost 120 7.0 point 0.1. And  the port is 8080. We're gonna hit OK, excellent.   00:21:45,480 --> 00:21:49,860 Now we need to move into burp back again. And  we want to make sure that we go into proxy,   00:21:49,860 --> 00:21:53,820 and the intercept is set to off. All right,  the reason we're setting the intercept off,   00:21:53,820 --> 00:21:59,490 is because I just want to show you something  first. Now by default intercept essentially just   00:21:59,490 --> 00:22:04,620 means that you're not intercepting the request,  the requests and the responses being sent from   00:22:04,620 --> 00:22:09,510 the web application to your browser. Okay, so  we have already set the proxy for the browser,   00:22:09,510 --> 00:22:16,260 but we're not intercepting. So if we just test a  random username like test, and we say a password   00:22:16,260 --> 00:22:21,360 like 12345, you can see if I hit login, it's  going to tell me that that is incorrect. Now,   00:22:21,360 --> 00:22:27,300 if I set the intercept to on to see the request,  let me just turn it on. And we can now reload this   00:22:27,300 --> 00:22:34,710 we can say test and the password 12345. We can  see that now it's for some reason, let me just   00:22:34,710 --> 00:22:41,220 forward that after actually just turn that off.  And we now see log in. And for some reason that   00:22:41,220 --> 00:22:46,590 is not allowing us because you have to reload.  Alright, so now if I hit intercept on, and whoops,   00:22:46,590 --> 00:22:53,760 let me just open up my browser and hit the parcel  1345. Log In. For some reason it's going to,   00:22:53,760 --> 00:22:58,710 it's going to slowly reloading here. I probably  there we are. Alright, so I've reloaded the page.   00:22:58,710 --> 00:23:04,710 And as you can see, now the intercept is on and  we go back to burp, you can see that we got the   00:23:04,710 --> 00:23:10,470 get request being sent by the web application.  Now let's inspect it for a while now we'll be   00:23:10,470 --> 00:23:15,540 looking at what all of this really means but by By  default, the most important thing right now is the   00:23:15,540 --> 00:23:20,250 get request. Alright, so you can see that the get  request has two values here. It has the username   00:23:20,250 --> 00:23:25,530 and the and the password. Now the values again are  not important we're going to be brute forcing the   00:23:25,530 --> 00:23:30,330 values but it's very important to get the fields  that we're using here. Now what am I talking about   00:23:30,330 --> 00:23:35,150 if you look at the cookie you can see the security  is low. And if you were to edit the value and for   00:23:35,150 --> 00:23:40,220 the package, you can set it too high that is basic  stuff that's good stuff right? But now we want to   00:23:40,220 --> 00:23:45,530 brute force this login. Alright, and how do we do  that you can see the first thing we need to do is   00:23:45,530 --> 00:23:49,850 we're going to be using the intruder alright so  if you're a bit confused about what the in today's   00:23:49,850 --> 00:23:56,330 Don't be worried intruder is essentially allow  allows us to edit the parameters, it allows us to   00:23:56,330 --> 00:24:01,790 edit the requests and then obviously edit them and  manipulate them so we can get the desired results.   00:24:01,790 --> 00:24:06,350 Now the great thing about there in the intruder  is it allows us to perform attacks like the brute   00:24:06,350 --> 00:24:13,070 force, etc, etc. Alright, but now what we need  to do is we need to send this request into the   00:24:13,070 --> 00:24:17,480 intruder so that we can send our own response.  Alright, so we're going to right click and send   00:24:17,480 --> 00:24:21,950 to intruder. So we just send it to intruder. And  once it's sent to the intruder, you can just hit   00:24:21,950 --> 00:24:26,390 forward. Alright, we don't need window, we don't  need that GET request anymore. So now you want to   00:24:26,390 --> 00:24:31,880 go into the intruder and you want going to your  positions. And as you can see in your positions   00:24:31,880 --> 00:24:39,500 you have got you have got the get request that  we were we just intercepted. And now you can   00:24:39,500 --> 00:24:45,230 see something really interesting. It's highlighted  for you all the different payloads. Okay, all the   00:24:45,230 --> 00:24:50,300 different fields that we can brute force for. By  default we have the username value, the password   00:24:50,300 --> 00:24:56,960 value, the login value, we have the F the SF ID  value, we have the the cookie value, no No, no,   00:24:56,960 --> 00:25:02,360 we don't need all of these The only values that we  need The username and the password value. So the   00:25:02,360 --> 00:25:07,550 most important thing you need to do right now is  you need to clear just hit clear. Alright, oops,   00:25:07,550 --> 00:25:15,110 sorry, not that clear. I beg, I beg your apology  there. I sorry, I didn't mean that what I'm trying   00:25:15,110 --> 00:25:19,850 to say is I'm sorry, just clear, just hit clear.  And as you can see, now, no values are being   00:25:19,850 --> 00:25:24,230 selected to be brute force against. So now we need  to select them manually. But before that, we're   00:25:24,230 --> 00:25:28,790 going to be using the the cluster bomb attack  type. Alright, the reason we're using the cluster   00:25:28,790 --> 00:25:32,870 bomb attack type is because we are going to be  using two values, we are brute forcing against   00:25:32,870 --> 00:25:39,110 two values. Remember that, okay, and these need to  be set in, in combination. So that means it's much   00:25:39,110 --> 00:25:44,960 better to use a cluster bomb because essentially,  you're clustering to values that need to be that   00:25:44,960 --> 00:25:51,080 need to be tested against the login, the login  application, or the login form together, alright,   00:25:51,080 --> 00:25:56,150 so in a combination, so we need to select cluster  bomb. And now we need to select the values because   00:25:56,150 --> 00:26:00,830 those are the those are that is what we want to  brute force again. So just highlight the value,   00:26:00,830 --> 00:26:05,720 it doesn't matter the password or the username  is just highlight it, and you want to hit Add.   00:26:05,720 --> 00:26:09,710 Alright, so just hit Add. And as you can see,  we have selected that, you know, going to the   00:26:09,710 --> 00:26:13,700 password, and you want to highlight that as well.  And you just want to add that, as you can see   00:26:13,700 --> 00:26:17,360 now once you have added that those are the two  values we're going to be brute forcing against,   00:26:17,360 --> 00:26:22,340 make sure that none of the others are selected  none of the other values. Once that is done,   00:26:22,340 --> 00:26:27,020 you're you're almost there now. Now you want to  go into your payloads. Right now in your payloads,   00:26:27,020 --> 00:26:31,400 you want to make sure that your payload set is set  to two, which is your username and your password.   00:26:31,400 --> 00:26:37,310 So let's start off with your payload set as  payload one, all right as your payload type,   00:26:37,310 --> 00:26:42,470 make sure that that is a simple list. Because  you can see we were only targeting usernames   00:26:42,470 --> 00:26:46,580 and passwords. So we don't need, you know, a  runtime file, or we're not changing anything,   00:26:47,240 --> 00:26:52,655 you know, dependent on Unicode etc, you get the  idea. Okay, so simple list. And now you're going   00:26:52,655 --> 00:26:57,170 to your payload options, which is where you select  your user list or your password list or your word   00:26:57,170 --> 00:27:02,090 list. Now, we're not using a word list. But if  you want to, you can if you're performing this   00:27:02,090 --> 00:27:06,620 on a real site, which I don't recommend unless  you have written permission. Now since we're   00:27:06,620 --> 00:27:12,470 using this in our penetration testing lab, we are  going to just add the default usernames and said   00:27:12,470 --> 00:27:18,260 the security of the site is low. And it's not  really a complex a brute force to crack. Okay,   00:27:18,260 --> 00:27:23,600 so what we want to do is, we want to make sure  we have set payload set to one, which is going   00:27:23,600 --> 00:27:28,910 to be for our usernames. So now we can go into  load where you can load your default usernames   00:27:28,910 --> 00:27:33,320 and your passwords or your word lists, but by  default, we're going to add our own Alright,   00:27:33,320 --> 00:27:40,070 so we're gonna say, whoops, we, for some, we're  just gonna say, we're going to type in a now like   00:27:40,070 --> 00:27:46,610 the commonly used usernames, alright, so something  like admin, administrator whoops, for some reason,   00:27:46,610 --> 00:27:52,250 actually, let me just remove these blank values  there. admin now administrator, administrator, let   00:27:52,250 --> 00:27:59,960 me just type that back in. administrator, like, so  administrator, for those of you telling me that my   00:27:59,960 --> 00:28:03,070 typing is bad. That's because my microphone  is right in front of me, and I can't really   00:28:03,070 --> 00:28:08,440 see what I'm typing administrator. Let's see what  else what are the default ones like we have root,   00:28:08,440 --> 00:28:14,470 we have password. Actually, we're not setting  the passwords right now. So we can just type in   00:28:14,470 --> 00:28:19,330 the default ones like this. All right, so we can  say test, you know, the default ones, user one,   00:28:19,330 --> 00:28:25,030 whatever you think could be the most commonly used  ones, okay? Or if you know what the username is,   00:28:25,030 --> 00:28:29,530 that is even better. So we're gonna add all the  usernames. Alright, so we've added the usernames   00:28:29,530 --> 00:28:33,640 that we want to use. Now by default, again, I'm  saying you can use a word list if you want to just   00:28:33,640 --> 00:28:38,530 go into load and select the word list. Now we want  to select our passwords, right? So we can go into   00:28:38,530 --> 00:28:43,720 the payload set to. And as you can see, now we  can add our own values. Now we can use the default   00:28:43,720 --> 00:28:50,950 word lists that come with Kali Linux. So if I go  into my root, and I'm going to use them, share and   00:28:50,950 --> 00:28:56,170 reselect word lists, let me just find where word  lists are. If I can find them, there we are word   00:28:56,170 --> 00:29:01,060 lists. And they are the ones that work great for  me in the Metasploit folder. And you can look for   00:29:01,060 --> 00:29:05,530 the default passwords. As you can see, you have  your database default passwords, you have your   00:29:05,530 --> 00:29:11,620 default, user password for services, that's also  great. It has a great list of of default usernames   00:29:11,620 --> 00:29:15,580 and passwords that you can use. But for me, I'm  not going to use this because we are sticking   00:29:15,580 --> 00:29:20,290 to the basics. And now you want to add your own  password. So we can select again, some randomly,   00:29:20,290 --> 00:29:27,850 you know, commonly used passwords. So pass, you  can say password. Let's see what else admin, you   00:29:27,850 --> 00:29:36,220 know, admin again, whoops, let me just remove that  one admin. Route, you can use route. Let's see,   00:29:36,220 --> 00:29:41,560 let me think 12345. That was the one that I've  seen many network administrators using 12345.   00:29:42,310 --> 00:29:47,560 And you get the idea. All right, so we've set our  two payloads. payload one is set for usernames.   00:29:47,560 --> 00:29:52,930 payload two is set for passwords. Excellent. All  right now, we have selected our payload types we   00:29:52,930 --> 00:29:58,690 have selected we have added our payload options.  We don't need to look at payload processing that   00:29:58,690 --> 00:30:03,190 is advanced once That's done, what you want to  do is going to intruder and start the attack.   00:30:03,190 --> 00:30:07,360 Alright, and now it's going to tell you that the  Community Edition of burp contains a demo version,   00:30:07,360 --> 00:30:11,920 but it's essentially telling you that the process  is going to be slow. Alright, so we're gonna hit   00:30:11,920 --> 00:30:16,060 OK. And it's going to start at the attack. As you  can see, it's going through all the combinations.   00:30:16,060 --> 00:30:20,470 And as you can see, the combinations that we  have here are 25, and is going to go through   00:30:20,470 --> 00:30:25,420 all of them. Now, one great thing that you need to  do here or one important thing that you need to do   00:30:25,420 --> 00:30:30,730 is you need to understand the the the status codes  that the server or the web application is sending   00:30:30,730 --> 00:30:38,410 back. Now, that's a good way of, of understanding  what password is correct? And what what username   00:30:38,410 --> 00:30:45,910 is correct and what password is not correct.  Okay. So if we look now, at the, at the results,   00:30:45,910 --> 00:30:49,330 as you can see that it's finished, it's going  through the brute force attack, we check the   00:30:49,330 --> 00:30:54,820 status, the status is still the same, we have a  status to 200. If we look at the length, right,   00:30:54,820 --> 00:30:59,740 the length is going to be still the same. But you  have to look for things that are not that are not   00:30:59,740 --> 00:31:05,800 matching. So for example, you can see that the  length here that was returned was 4948. And it's   00:31:05,800 --> 00:31:10,510 not, it's not following the format of the others.  So that means that this could be the username   00:31:10,510 --> 00:31:15,460 and password, don't worry about the status, the  status will still remain the same, regardless of   00:31:15,460 --> 00:31:19,600 that. But when we'll be looking at Advanced Server  penetration testing, that's something important.   00:31:19,600 --> 00:31:25,930 So you can see that the get that we've got here is  very important. Now if we look at the if we look   00:31:25,930 --> 00:31:31,870 at the response that will be sent. Right there,  you can see the response. And if we render it,   00:31:31,870 --> 00:31:36,970 you can see that if it was successful, it will  tell us that we've logged in successfully. So let   00:31:36,970 --> 00:31:40,990 me just browse down all the way as you can see,  welcome to the password protected area admin.   00:31:40,990 --> 00:31:46,780 And there you go, that is the username and the  password is admin and password. Now again, this   00:31:46,780 --> 00:31:52,210 was really simple. Again, you can you can increase  the security if you're practicing on your own. But   00:31:52,210 --> 00:31:56,860 you can see that this really works. And this is  how to utilize burp for advanced stuff like brute   00:31:56,860 --> 00:32:03,370 forcing. Now again, most of the advanced websites  nowadays have great content management systems   00:32:03,370 --> 00:32:07,780 that have the security plugins that essentially  prevent you from brute forcing or lock you out.   00:32:07,780 --> 00:32:12,115 But most of the oldest sites, you'll be, you'll  be actually quite shocked to find out that they   00:32:12,115 --> 00:32:17,680 are brute forces, they are log informed sorry,  are not protected. Now we've already logged in,   00:32:17,680 --> 00:32:22,960 and you can see that the default username is  admin, and the password is password. Okay, so you   00:32:22,960 --> 00:32:29,620 can look at the role. The raw HTTP here, you can  look at the request and the response. Or you can   00:32:29,620 --> 00:32:33,700 look at them and you can inspect them, if that's  what you do. And you can look at the headers,   00:32:33,700 --> 00:32:38,200 what's being sent, all that good stuff. But that  was going to be it for this video. And now if we   00:32:38,200 --> 00:32:43,600 just go back into burp, let me just go into my  proxy. And I'm going to disable intercept. And   00:32:43,600 --> 00:32:47,290 we can try and log in here. So we know that  the admin username is admin and the password   00:32:47,290 --> 00:32:54,700 is password. So let me log in. And welcome to  the password protected admin area fantastic.   00:32:58,280 --> 00:33:02,630 In this video, we're going to be looking at  selecting our verbs with our target in web suite,   00:33:02,630 --> 00:33:08,750 adding it to our scope, and then finally spidering  it as my vulnerable operating system, I'm going to   00:33:08,750 --> 00:33:15,740 be using the Matilda de which comes pre installed  on Metasploit able to so you should download Well,   00:33:15,740 --> 00:33:20,390 I would recommend that you download Metasploit  able to, it's a fantastic option for any of you   00:33:20,390 --> 00:33:25,760 who are just getting into penetration testing  offers multiple vulnerable web applications   00:33:25,760 --> 00:33:29,720 and vulnerable systems that you can practice  with. So again, it's something that I really,   00:33:29,720 --> 00:33:36,470 really recommend. That being said, as you can  see, I have made exploitable to virtual machine   00:33:36,470 --> 00:33:42,860 running. And I have already looked at my local IP  address, you can do that by typing in if config   00:33:42,860 --> 00:33:49,940 that will display to you your your current network  interface and your local IP address. Because we   00:33:49,940 --> 00:33:55,670 are doing this in our virtual penetration testing  lab. Alright, so let's go back to Kali Linux now.   00:33:55,670 --> 00:34:00,470 And I'm going to open up my browser, make sure  you get your IP address. And as I said, again,   00:34:00,470 --> 00:34:04,580 we're going to be using motility. So if you don't  know what Mattila day is Mattila day is simply a   00:34:04,580 --> 00:34:09,650 vulnerable web application. And the reason I'm  switching I'm switching from the damn vulnerable   00:34:09,650 --> 00:34:14,120 web application is because I want to show you  a few, I really want to make it a bit diverse   00:34:14,120 --> 00:34:21,050 in terms of the web applications that we use.  Alright, so let's get started now. Now I already   00:34:21,050 --> 00:34:25,850 have the IP address of my virtual machine opened  up here in my browser, as you can see, 190 2.1   00:34:25,850 --> 00:34:32,630 68 point 1.14. So if I reload this, you can see  that it indeed is the meta splittable to server   00:34:32,630 --> 00:34:38,990 and I can just go ahead and click on Mattila  day. Alright, now what I should do now is go   00:34:38,990 --> 00:34:45,020 into my preferences, you can do that by opening a  new tab. So let me just open a new tab here going   00:34:45,020 --> 00:34:51,560 into preferences, and then selecting advanced and  network and finally settings. And then you want to   00:34:51,560 --> 00:34:57,440 make sure you select a manual proxy configuration.  And then make sure it's using the localhost proxy,   00:34:57,440 --> 00:35:03,800 which is wondering 7.0 point 0.1 Port 8080 and  hit OK. Once that's done, we know that burp suite   00:35:03,800 --> 00:35:09,220 can intercept. Not that we want to do that in this  video, we just want to, we want to have a look at,   00:35:09,220 --> 00:35:13,360 we want to map the web, the web application.  Alright, so we're not going to change anything   00:35:13,360 --> 00:35:17,680 in Mattila day. But I'm going to be showing you  some pretty interesting things in this video.   00:35:17,680 --> 00:35:23,650 So now we should start up burp suite community.  Now I'm going to be explaining something at the   00:35:23,650 --> 00:35:28,630 end of the video that is really important. And it  is in regards to the community version, and the   00:35:28,630 --> 00:35:34,720 professional version of burp suite and what what  the differences are and why you will need at some   00:35:34,720 --> 00:35:40,390 point to get the professional version. Okay, so  I'm going to select a temporary project, I'm using   00:35:40,390 --> 00:35:45,760 the community version as of right now, hit Next,  use the bird default, and I'm going to start up.   00:35:45,760 --> 00:35:51,310 Alright, so it's going to start burp suite. And  let me just minimize the browser here. So give   00:35:51,310 --> 00:35:56,740 that a few seconds to start up. And once it starts  up, what you want to do immediately is turn off   00:35:56,740 --> 00:36:02,650 the proxy, we want to stop in the intercepting  because we are not intercepting any requests,   00:36:02,650 --> 00:36:09,340 or we are not inserting any responses. So go back  into your target. And now we can get started with   00:36:09,340 --> 00:36:15,190 with actually reloading the page right here. So  let's reload that. And we should be able to see   00:36:15,190 --> 00:36:22,510 what's going on. And we should have the sitemap.  Alright, so let me just open up the burp suite   00:36:22,510 --> 00:36:28,120 here. Fantastic. Alright, so now you can see  something very interesting has happened here.   00:36:28,120 --> 00:36:33,820 In our target. And sitemap, we have the files that  were discovered here. Well, essentially, we have   00:36:33,820 --> 00:36:39,250 the web server that then has the modality folder,  which is our target. Now before I get into any of   00:36:39,250 --> 00:36:43,510 that, the site map will show you the current  site map. Obviously a site map is essentially   00:36:43,510 --> 00:36:49,510 sorry about that a site site map is essentially  the structure or the format of the webpage,   00:36:49,510 --> 00:36:55,060 and how the web page was constructed and how it  will function in regards to every other piece of   00:36:55,060 --> 00:37:00,730 content. Okay, so the first thing that we need to  do, or we'll be looking at is actually selecting   00:37:00,730 --> 00:37:04,630 our target, which in this case, again, is Mattila  day. And you can do that by right clicking and   00:37:04,630 --> 00:37:09,730 hitting add to scope. All right, so you might  be asking what exactly the scope means? Well,   00:37:09,730 --> 00:37:15,130 a scope essentially allows us to define our  automated spidering. And what this means is   00:37:15,130 --> 00:37:19,660 we are focusing our only on our target, we're  not going to focus on the reference links,   00:37:19,660 --> 00:37:24,880 like you can see here, for example, we have to  it as a reference link, backtrack, dynamic drive,   00:37:24,880 --> 00:37:30,760 Eclipse, etc, etc, you get the idea. So scoping  is essentially selecting our target, isolating it,   00:37:30,760 --> 00:37:35,920 so that we only see what we need to see. And  the obviously the results that we want to see.   00:37:35,920 --> 00:37:40,450 So I'm going to right click on Mattila day,  and I'm going to hit Add to scope. Alright,   00:37:40,450 --> 00:37:46,480 so now it's going to say you've added an item to  to the target scope, do you want that proxy to to   00:37:46,480 --> 00:37:52,120 stop sending out scope items out of scope items  to the history of the other bedtools? Yes, again,   00:37:52,120 --> 00:37:56,410 we want to make sure that we are we clear out all  the junk that we don't need. Now you might have   00:37:56,410 --> 00:38:02,500 noticed? Well, that's essentially happened, but  nothing is really changed. And as you can see,   00:38:02,500 --> 00:38:07,000 it's gonna tell you here logging of out of scope,  proxy traffic is disabled, don't worry about that,   00:38:07,000 --> 00:38:10,840 just leave it as it is, if you want to re  enable it, you can go ahead but right now you   00:38:10,840 --> 00:38:15,850 don't need to do that. Okay, so we've looked  at how to add our target to the scope. Now,   00:38:15,850 --> 00:38:22,750 let's look at spidering is essentially the  the first and the most important step of web   00:38:22,750 --> 00:38:27,820 application penetration testing. Alright,  it is it deals with or it is in it is in   00:38:27,820 --> 00:38:33,250 relation with footprinting. And this is why I  bring the comparison from penetration testing   00:38:33,250 --> 00:38:38,560 to obviously web application penetration testing  it is to deal it essentially deals with crawling   00:38:38,560 --> 00:38:43,870 through the website. And then it records all the  files, the links and the methods and the methods   00:38:43,870 --> 00:38:49,000 that it can get. And that helps us build an idea  of how the web application is structured, how it   00:38:49,000 --> 00:38:55,180 works. And then finally, we can learn how we can  break through it. What we need to do is we need to   00:38:55,180 --> 00:38:59,320 spider our target. Well, we have added it to the  scope, which is great. And now we need to spider   00:38:59,320 --> 00:39:03,160 it. So what we're going to do is we're going to  we're going to use spider and this will help us   00:39:03,160 --> 00:39:08,290 identify all the links and the parameters that we  need. Again, as I said, it's like footprinting. So   00:39:08,290 --> 00:39:11,410 what you want to do is right click on your  target, which in this case is Mattila day,   00:39:11,410 --> 00:39:17,350 and you want to spider this branch. Alright,  so I'm going to spider this branch. And no,   00:39:17,350 --> 00:39:20,530 something interesting is going to start happening.  As you can see, it's going to start getting all   00:39:20,530 --> 00:39:27,100 the links all the resources that it can, and it's  going to prompt you with here a submit form. Okay,   00:39:27,100 --> 00:39:31,390 now, what you can do is just ignore the form,  there'll be quite a few essentially, these are   00:39:31,390 --> 00:39:36,040 default login forms where it's asking you to  enter credentials that you might want to enter,   00:39:36,040 --> 00:39:40,510 let's say you, you're performing whitebox, then  Richard testing and you have the details. You   00:39:40,510 --> 00:39:45,280 can again log in like this and perform internal  penetration tests. But we're going to assume   00:39:45,280 --> 00:39:50,560 that you're you do not know your penetration,  you're essentially performing a penetration   00:39:50,560 --> 00:39:54,850 test on the security. So I'm going to ignore  all of these forms. Okay. And as you can see,   00:39:54,850 --> 00:39:58,930 there's another one right there and the spidering  is probably continuing. Now if you want to view   00:39:58,930 --> 00:40:03,370 the status of these By doing, you can go into  spider. And as you can see you have the status   00:40:03,370 --> 00:40:08,650 of the spider. And once it's done, you will see  that the requests made will stop changing. And   00:40:08,650 --> 00:40:14,710 the bytes transferred, will also stop changing so  we can stop the spider. Now you noticed something   00:40:14,710 --> 00:40:20,680 that we were faced with those are form login  prompts. Now, you can choose to enter them as   00:40:20,680 --> 00:40:26,920 a prompt or as you're prompted, but the better  way of doing this is to actually you actually do   00:40:26,920 --> 00:40:32,350 this automatically. And you can do this by going  into spider. And you want to go into options,   00:40:32,350 --> 00:40:40,060 and you want to go in to your application login.  Alright. Now, if you look at the form submission,   00:40:40,060 --> 00:40:45,820 it is essentially what it's doing is is going to  use the default form submissions that you would   00:40:45,820 --> 00:40:50,950 find in a database. So for example, we have male,  first name, last name, surname, name, address,   00:40:51,460 --> 00:40:56,470 you get the idea. So those are default values  that one would, one would be expected to find. Now   00:40:56,470 --> 00:41:02,770 we're looking at the application login. As you can  see, its option is set to prompt for guidance, we   00:41:02,770 --> 00:41:07,810 want to change this to automatically submit these  credentials. Now in here you can enter default   00:41:07,810 --> 00:41:13,060 credentials. Or if you have an idea of what the  credentials you might expect to find. Now, this is   00:41:13,060 --> 00:41:18,700 where creativity and sheer information gathering  comes into play. So if you need a new the default,   00:41:18,700 --> 00:41:22,990 you know, usernames and passwords, you can enter  them here. Now what I'm going to do is I'm going   00:41:22,990 --> 00:41:28,690 to enter a string that is, well, I've used it  before in performing SQL injection, and we'll talk   00:41:28,690 --> 00:41:35,530 about SQL injection because it is very advanced.  If you know SQL injection, or you have you have   00:41:35,530 --> 00:41:41,860 an idea or experience with the databases, you  might understand what this string means. Alright,   00:41:41,860 --> 00:41:49,340 so for my username, I'm going to change that to  admin, quotation mark and say, or one equal one,   00:41:49,340 --> 00:41:54,890 and two dashes. All right space and a dash. Now  you don't need to worry what this means for now,   00:41:54,890 --> 00:42:00,800 please do not stress about this, I will explain  it when the time is right. All right. So leave   00:42:00,800 --> 00:42:04,790 the password as it is. And don't worry about that.  Now, we had, we don't need to change anything in   00:42:04,790 --> 00:42:09,590 terms of these tabs, we talked about these tabs  in the theory section. And now we can go back into   00:42:09,590 --> 00:42:15,560 our control and target. And finally, we can spider  the application again, once more so that we can   00:42:15,560 --> 00:42:21,380 enter the we can essentially process the strings  that we that we just entered in terms of the user   00:42:21,380 --> 00:42:27,020 name, so I'm going to right click and spider this  branch. Okay, so it's going to start spidering.   00:42:27,020 --> 00:42:32,600 And if we look at the spider, you can see that the  the spidering is complete. And you can essentially   00:42:32,600 --> 00:42:38,360 clear the cues if you want to clear the clear them  like so. And you can keep on running it depending   00:42:38,360 --> 00:42:42,380 on what you want to do. Okay, so I'm just  going to pause it. And now we have essentially   00:42:42,380 --> 00:42:47,570 spidered the web application. And you might be  asking, well, I've seen a few reference sites,   00:42:47,570 --> 00:42:53,270 that's not helping much, you know, we don't need  twitter.com or you know, sizzle js, this might   00:42:53,270 --> 00:42:59,270 give us a basic idea of what types of sites are  linked to to the web application. But in reality,   00:42:59,270 --> 00:43:05,390 you can see we have hackers.org not not very  important information at all. Now, what if   00:43:05,390 --> 00:43:10,460 we click on the Mattila day folder? Oh, look at  that. That's really interesting. Now that is very,   00:43:10,460 --> 00:43:15,800 very important. What has happened here is it's  given us the structure of the web application,   00:43:15,800 --> 00:43:22,610 this is vitally important. All right now, again,  as I'm saying, you can look at how the website   00:43:22,610 --> 00:43:26,960 or the web application is structured. So in  documentation, you can see you can go ahead   00:43:26,960 --> 00:43:31,580 and read the documentation, you can look at  the images that the website has the styles,   00:43:31,580 --> 00:43:36,770 so you can inspect the entire site and understand  what exactly is going on here or get an idea of   00:43:36,770 --> 00:43:41,510 what the person who developed the website was  thinking. And then finally, out of experience,   00:43:41,510 --> 00:43:47,030 or as we'll be looking at out of knowledge, you  can actually understand how to exploit the system.   00:43:47,030 --> 00:43:52,160 And that we will be talking about discovering  hidden files, hidden files, like admin pages,   00:43:52,160 --> 00:43:57,110 login pages, you know, that really juicy stuff.  And we'll be talking about that in the next video.   00:43:57,110 --> 00:44:02,750 And that's because that sweet Community Edition  does not support or have allow you to use that   00:44:02,750 --> 00:44:06,230 feature. So what I'm going to do in the next  video, I'm going to be using burp suite Pro,   00:44:06,230 --> 00:44:12,020 and also show you an alternative program. I'm sure  you've heard of it. That also works on Windows.   00:44:12,020 --> 00:44:16,340 Of course, that's how it works on Windows. But  I'm not really a Windows fan when it comes down   00:44:16,340 --> 00:44:22,460 to penetration testing. So that being said, we  have essentially spider the application we have   00:44:22,460 --> 00:44:27,560 the structure of the web application. And now we  need to look at something also very interesting   00:44:27,560 --> 00:44:33,950 as we have already talked about it. Let me just  complete. Let me just show you how to get rid of   00:44:33,950 --> 00:44:39,980 all of these reference links and to essentially  show the items in the scope only. So what you   00:44:39,980 --> 00:44:45,080 can do is just click on filter right here, this  little bar here is the filter bar. So click on it,   00:44:45,080 --> 00:44:49,700 and it's going to show you bring up this smaller  window and you want to focus on the filter by   00:44:49,700 --> 00:44:55,580 request type and make sure you check show only in  scope items. This will essentially filter all the   00:44:55,580 --> 00:45:02,660 results to show you only links or resources or  files that are within the scope. So once that's   00:45:02,660 --> 00:45:07,550 done, just click back on the filter. And as you  can see it has got rid of all the junk that you do   00:45:07,550 --> 00:45:12,560 not need whatsoever. And now you can essentially  look at the, the requests and the responses and   00:45:12,560 --> 00:45:19,040 analyze them accurately defined to your scope. And  this will essentially, it will stop confusing you,   00:45:19,040 --> 00:45:24,230 I've seen many beginners make this mistake where  they don't define the scope. They do not know   00:45:24,230 --> 00:45:29,150 what the target is, and they're getting links that  are not even relate to the website that they're,   00:45:29,150 --> 00:45:33,320 they're trying to perform the penetration test  on. Now, since you know this knowledge, this   00:45:33,320 --> 00:45:39,140 will help you get a solid foundation. And again,  you can start logging out of skip out of scope   00:45:39,140 --> 00:45:43,700 proxy traffic when you want. Again, that's very  nice that they add that button right over there.   00:45:43,700 --> 00:45:48,590 Alright, so now you only have the files that  you require, or the files that you're currently   00:45:48,590 --> 00:45:54,080 performing the penetration test only. Now I know  this, this video was slightly, there was not a   00:45:54,080 --> 00:45:58,100 lot of action. But again, it is very important  that you get this in the next video, we'll be   00:45:58,100 --> 00:46:04,160 looking at how to how to discover hidden files  or files in general that you are not supposed to   00:46:04,160 --> 00:46:09,200 find. Okay. And that can be done by right clicking  and going into engagement tools. As you can see,   00:46:09,200 --> 00:46:14,870 it is defined to the professional version of burp  suite. And we will be going into discover content   00:46:14,870 --> 00:46:19,520 where I'll be explaining to you how to find  things like the login page or the configuration   00:46:19,520 --> 00:46:26,510 page. Some things that web developers, you know,  actually just may try to hide them. But if it's   00:46:26,510 --> 00:46:31,490 actually found, can really exploit the website  or can lead to the exploitation of the website.   00:46:35,690 --> 00:46:41,600 We're going to start looking at how to discover  hidden files. But before that, I just want to take   00:46:41,600 --> 00:46:48,260 you through a few things. Alright, so let's start  off with what OS base or o w SP. Alright, so what   00:46:48,260 --> 00:46:52,460 does that mean? Well, essentially what it means,  or what it stands for is the open web application   00:46:52,460 --> 00:46:57,560 security project. Alright, and its goal. Well,  essentially, it is a nonprofit organization   00:46:57,560 --> 00:47:04,010 whose goal is focused on improving the security of  software. All right, so its job is to improve the   00:47:04,010 --> 00:47:10,700 security of software. Now this project, the O w  SP, or the open web application security project,   00:47:10,700 --> 00:47:18,500 created a tool called as the Zed attack proxy. Or  as you know, it the zap, many people like calling   00:47:18,500 --> 00:47:22,820 it zap. And I'm sure most of you have heard  of it. And you might have been, you might be   00:47:22,820 --> 00:47:28,790 leaning towards burp suite a little bit more. But  I can guarantee you that zap is one of my favorite   00:47:28,790 --> 00:47:34,310 tools. And I use it because firstly, it's free.  And for the people like for the students I teach,   00:47:34,310 --> 00:47:39,260 I usually tell them to start with zap because if  you get zap, you'll automatically get burp suite.   00:47:39,260 --> 00:47:43,850 And you only need burp suite when you're moving  into an enterprise environment where you know,   00:47:43,850 --> 00:47:49,640 burpsuite is the recommended tool. And it is the  tool that you must use to adhere to certain rules   00:47:49,640 --> 00:47:54,680 and ethics. That being said zap is a fantastic  tool. It's absolutely free. As you can see the   00:47:54,680 --> 00:48:00,170 old w SP Zed attack proxy proxy, which is,  you know, abbreviated as zap is one of the   00:48:00,170 --> 00:48:04,670 world's most popular free security tools and is  actively maintained by hundreds of international   00:48:04,670 --> 00:48:09,320 volunteers, right. So it helps you find security  vulnerabilities in your web applications while   00:48:09,320 --> 00:48:13,700 you're developing and testing applications. So  again, if you're a web application developer,   00:48:13,700 --> 00:48:18,230 this is also a fantastic tool for you. And as I  said, it's going to be a fantastic alternative   00:48:18,230 --> 00:48:25,010 to do burp suite. All right now that's not  to say that burp is bad. burp is more of a   00:48:25,010 --> 00:48:30,890 enterprise an enterprise developed software.  As I've mentioned in the for the first video   00:48:30,890 --> 00:48:36,980 of this series, burp is focused on professionals.  Now that's not to say that zap isn't, but you'll   00:48:36,980 --> 00:48:42,140 get the idea. Alright, so I'm going to be making  a separate video on installing zap and I'm going   00:48:42,140 --> 00:48:46,610 to make a video on how to get accustomed to the  interface because it is slightly different. And   00:48:46,610 --> 00:48:53,420 the language or English used for the interface is  again very well obviously very different but it is   00:48:53,420 --> 00:48:58,190 quite different. So again, getting used to it was  also something that is quite helpful because we'll   00:48:58,190 --> 00:49:04,310 be needing some of the enterprise features and on  only a tool like zap will be a great alternative.   00:49:04,310 --> 00:49:09,650 However, if you do have burp suite Pro, go ahead,  it will it will just be the same thing. As I   00:49:09,650 --> 00:49:14,090 mentioned in the previous video, it's really  very easy to to follow up where we left. Okay,   00:49:14,090 --> 00:49:19,490 that being said, it runs on the same network  proxy, it runs on the localhost. So make sure   00:49:19,490 --> 00:49:24,800 you're running it on the localhost and on port  8080. I'll be showing you how to change the port   00:49:24,800 --> 00:49:30,950 if you so feel you want to. That's also another  great thing about us as AP is it allows you to   00:49:30,950 --> 00:49:36,410 change the proxies. So I have Mattila day opened  up here and it is again running on my Metasploit   00:49:36,410 --> 00:49:40,670 able to virtual machine and it's running  on the IP address my local IP address 190   00:49:40,670 --> 00:49:47,360 2.1 68 point 1.104 as you can see Mattila day.  Alright, so that's working perfectly. So let me   00:49:47,360 --> 00:49:53,810 just leave those other tabs open because again,  there's no there's no real harm. Okay, so, again,   00:49:53,810 --> 00:49:59,360 you can configure the material at a security level  if that's what you want, you know to do to make   00:49:59,360 --> 00:50:04,070 things harder. But I'm just going to be showing  you the focus of this video, which is how to find   00:50:04,070 --> 00:50:10,370 hidden files. Now, you might be asking, why do  we need to find hidden files? Or why do we need   00:50:10,370 --> 00:50:15,170 to discover these hidden files or hidden files?  Firstly, are the files like admin login pages,   00:50:15,170 --> 00:50:21,410 you know, maybe a robots dot txt, but that's not  really something that's hidden nowadays. It could   00:50:21,410 --> 00:50:27,410 be a txt containing maybe usernames, you know,  something really weird, or, you know, pardon   00:50:27,410 --> 00:50:33,260 my English or pardon my language, something dumb  that the web developers left behind, or, you know,   00:50:33,260 --> 00:50:38,570 just not configured correctly. And you'll see  what I mean in a few seconds. All right. So again,   00:50:38,570 --> 00:50:42,200 these are the files that are hidden, and  you will not find them after spidering,   00:50:42,200 --> 00:50:48,440 your web application or website. Alright, so let's  get started with zap. As you can see, I have the   00:50:48,440 --> 00:50:53,270 logo right here on my it's added to my favorites,  let me just launch it, give it a few seconds, and   00:50:53,270 --> 00:50:58,790 it should start up. There we are, the zap, give it  a few seconds again, and make sure you update it   00:50:58,790 --> 00:51:03,830 usually the updates for the modules very, very  regularly. So make sure you update them to the   00:51:03,830 --> 00:51:09,260 latest version, as they improve the speed and so  on and so forth. Alright, so it's going to prompt   00:51:09,260 --> 00:51:13,760 you here, do you want to persist the substation,  that means Do you want to save this app session,   00:51:13,760 --> 00:51:20,060 I don't, I do not want to persist the session at  this moment in time. So I'm going to start. Again,   00:51:20,060 --> 00:51:24,380 don't worry, if you're not familiar with the  interface, I'll be going through it in another   00:51:24,380 --> 00:51:29,720 video because it deserves Now you might be a  little bit overwhelmed. But do not worry, do   00:51:29,720 --> 00:51:34,880 not stop going to you know URLs to attack that may  seem really really tempting. But again, you know,   00:51:34,880 --> 00:51:41,330 let's take it nice and easy. So let's talk about  the proxy, how to change the proxies. So to do   00:51:41,330 --> 00:51:46,340 that, you can go into your cog right here, as  you can see, or you can go into tools and go   00:51:46,340 --> 00:51:52,370 into options. Alright, but I like going into this  little cog here. And once you press on, once you   00:51:52,370 --> 00:51:57,110 click on the cog, let me just enlarge that, you  will see that you have this huge menu. And again,   00:51:57,110 --> 00:52:04,640 as I said, zap is a really advanced tool, and in  some cases can totally replace burp suite. Now,   00:52:04,640 --> 00:52:09,620 looking at the proxies, you want to go for  the local proxies right here. It's obviously   00:52:09,620 --> 00:52:14,810 starting with L. So local proxies, and make  sure that the address is hosted on localhost.   00:52:14,810 --> 00:52:19,970 And you can change the port if you're using burp  suite and stuff, like you're just using both the   00:52:19,970 --> 00:52:25,010 applications at the same time, or you're running  something on localhost already. So you can change   00:52:25,010 --> 00:52:30,140 it to something like 8081, whatever you feel  is comfortable for you. Okay, so that's how to   00:52:30,140 --> 00:52:35,810 change your proxies. And if you're running the  ad net, you can also go check this and that you   00:52:35,810 --> 00:52:41,510 should be good there, if you don't find that the  proxy is working. So just hit OK. Alright, now,   00:52:41,510 --> 00:52:46,970 you see that there is no draya We are not going to  be looking at intercepting right now, but we will   00:52:46,970 --> 00:52:52,310 be looking at that in a few in probably the next  videos, the advanced videos with SAP. Alright,   00:52:52,310 --> 00:52:57,260 so let me just reload the material a page. And  as you can see, I'm running the proxy. So I'm   00:52:57,260 --> 00:53:02,570 just going to reload the page. And as you can  see, we are not intercepting actively. So Whoa,   00:53:02,570 --> 00:53:08,180 what's this? Well, we got some files here. Let me  just reload the page one more time. And there we   00:53:08,180 --> 00:53:14,930 are, we are getting some results. So we get the IP  190 2.1 68 point 1.14. That's the server and if we   00:53:14,930 --> 00:53:21,350 just click on this drop down here, we get request.  So you can analyze the get request. If that's what   00:53:21,350 --> 00:53:26,540 you want, you can right click, and then analyze.  All right now will we not be looking at that right   00:53:26,540 --> 00:53:31,790 now because I want to focus on finding the or  discovering the hidden files. So what we'll do   00:53:31,790 --> 00:53:36,920 is we want to click on the utility folder. Now one  of the great things I like about zap is it already   00:53:36,920 --> 00:53:41,810 gives you the file structure or the website  structure immediately here. Alright, so again,   00:53:41,810 --> 00:53:47,360 so you have your images folder, which has it,  the images there, you have JavaScript styles,   00:53:47,360 --> 00:53:54,140 and your all the resources in regards to the  website that it could find naturally. Alright.   00:53:54,140 --> 00:54:01,910 So if we, if we just look at the bottom here, you  can see that it it's showing you a timestamp with   00:54:01,910 --> 00:54:07,400 the method that the URL, and it gives you the  the code which means the pages in this case,   00:54:07,400 --> 00:54:14,510 the 200 code means the page was found, you have  the reason you have the RTT, the size, the alert,   00:54:14,510 --> 00:54:18,080 as you can see, it's telling us we have a high  alert here. Now don't worry about that. Again,   00:54:18,080 --> 00:54:23,180 these are things that you know will be will  really be tempting, but again, let's take it slow.   00:54:23,180 --> 00:54:28,220 Alright, so the first thing you want to do or you  need to do is to right click here, and you want to   00:54:28,220 --> 00:54:33,800 go to attack and hit spider. Alright, so we want  to spider the website or the web application and   00:54:33,800 --> 00:54:39,530 start scan Do not touch anything here. Just make  sure it's using the appropriate server address   00:54:39,530 --> 00:54:43,940 and just hit scan. Right now it's going to spider  the entire web application and it's going to give   00:54:43,940 --> 00:54:48,710 you a little progress bar here. You can pause  it or stop it which is also great to see at the   00:54:48,710 --> 00:54:52,760 bottom you should have also noticed that you have  your tabs here that work really really well. And   00:54:52,760 --> 00:55:00,410 as you can see the the website now is completely  spidered. And if we just check all the files that   00:55:00,410 --> 00:55:05,720 we can find now you can see that we have some more  JavaScript files. And essentially what's happened   00:55:05,720 --> 00:55:12,170 here is the entire site has been, has been  spidered. Okay, now we already did this with burp.   00:55:12,170 --> 00:55:16,640 And the you know, you've you're probably really  bored of this right now. So what we're going to do   00:55:16,640 --> 00:55:22,010 now is we need to, we need to start discovering  the hidden content, right. So let me just close   00:55:22,010 --> 00:55:27,320 all of this up. There we are. Fantastic. Now,  let me just open that up. And let's go to Mattel   00:55:27,320 --> 00:55:33,110 today. Oops, my bad Sorry about that, guys.  And we want to right click on Mattila day,   00:55:33,110 --> 00:55:39,860 and you want to go to attack and you want to go  to first browse directory and children that's very   00:55:39,860 --> 00:55:44,390 important. First browse directory will not display  everything, we'll also be looking at fuzzing,   00:55:44,390 --> 00:55:49,040 but that's for later. Alright, so you want to make  sure you hit forced browse directory, just click   00:55:49,040 --> 00:55:53,420 on that. And it's going to open up this tab here.  So you can see we are despite the tab open, which   00:55:53,420 --> 00:55:57,980 you can close read if you're not using it, which  is also great. I really like the management of   00:55:57,980 --> 00:56:03,590 zap, you then have output for your outputs alerts.  As you can see, you have some alerts here that   00:56:03,590 --> 00:56:08,120 will alert you on some potential vulnerabilities.  So for example, APPLICATION ERROR, disclose,   00:56:08,120 --> 00:56:14,570 you have some cookies, a noise GTP flag. So again,  awesome stuff there. We have to get requests,   00:56:14,570 --> 00:56:20,630 all that good stuff, which is again focused on a  different type of attack. And as you can see, by   00:56:20,630 --> 00:56:26,750 default, we've got the robots. txt here, which you  can analyze if you want to, by clicking and going   00:56:26,750 --> 00:56:33,020 ahead and doing that. So you can copy the URL to  the browser. So again, copy the URL to clipboard,   00:56:33,020 --> 00:56:38,360 alright, and if we just try and explore this,  let me just paste and go here. As you can see,   00:56:38,360 --> 00:56:44,750 we're for some reason, we're not actually getting  robots to txt. Let me use the motility date. Till   00:56:44,750 --> 00:56:50,690 today, or actually, you know what, let's not do  that right now, because I really want to stay   00:56:50,690 --> 00:56:55,460 on topic here. So I'm just gonna go back into  that. Again, I always love going off topic,   00:56:55,460 --> 00:57:01,070 fourth topic for some reason. Okay, so make sure  you click on motility and you want to right click   00:57:01,070 --> 00:57:07,010 on it. And now Oh, sorry, we already did the  first browser, right click, go to attack and   00:57:07,010 --> 00:57:12,110 first browse, directory and children. Alright,  now it's going to open up this tab here. And   00:57:12,110 --> 00:57:17,360 it's going to, it's going to make you choose the  site. As you can see, you have your site IP here.   00:57:17,360 --> 00:57:21,260 Now you need to select the default directory  list to it's going to use this list here, this   00:57:21,260 --> 00:57:27,470 default list that comes already with zap. And now  it's going to try and use it in a sort of a brute   00:57:27,470 --> 00:57:32,480 force way to try and detect the hidden files and  folders. And once it gets the result, it's going   00:57:32,480 --> 00:57:37,520 to enumerate them. Okay, so now you want to right  click again on it, after you've selected the list   00:57:37,520 --> 00:57:42,170 and hit attack. And you want to go to force browse  directory and children. And once you hit that,   00:57:42,170 --> 00:57:46,760 it's going to start the process. Now again, this  is going to take a long, while not a long time,   00:57:46,760 --> 00:57:51,410 depending on this the size of the website,  if the site is huge, then again, it's gonna   00:57:51,410 --> 00:57:57,110 take a while. And as you can see, immediately  we're getting some submitted files. So let's,   00:57:57,110 --> 00:58:02,960 let's wait for this call to complete. And I know  motility has some very, very interesting files   00:58:02,960 --> 00:58:08,810 here that I'm sure will be happy to get. Alright,  so just let it go through this. As you can see,   00:58:08,810 --> 00:58:15,410 you can check the progress as you're going here.  And again, the the if you look at the status code,   00:58:15,410 --> 00:58:20,240 you can see 200 means the pages were found. So  you can just go ahead and look for things that   00:58:20,240 --> 00:58:25,370 are irregular. And I'm sure we can find something  here that we haven't found before. Or you can   00:58:25,370 --> 00:58:35,120 look at the at the file form the website directory  here. So um, Mattila day, let's see if we can find   00:58:35,120 --> 00:58:39,350 something that is really, really interesting year.  So we have the includes we have the get index of   00:58:39,350 --> 00:58:43,940 PHP, we get regressed, sorry for the index dot  o we have something interesting here we have a   00:58:43,940 --> 00:58:50,840 notes folder. Aha, now we're talking now this  is where stuff gets really exciting. Alright,   00:58:50,840 --> 00:58:56,840 so we have whoops, where'd it go? There we are.  So in notes, we have some very interesting files   00:58:56,840 --> 00:59:02,990 in notes. So we have a get passwords. Now  what happens? What's this about? Alright,   00:59:02,990 --> 00:59:08,240 so what if what what if we just open this URL  in the browser? Alright, so let me just try and   00:59:08,240 --> 00:59:12,530 open that in Firefox, I just want to see what  it's going to be all about. So hopefully, it's   00:59:12,530 --> 00:59:18,440 opened up in my browser. If it's not, I'll have to  copy the URL, probably because I haven't set any,   00:59:18,440 --> 00:59:26,120 any default. Alright, so copy URLs to clipboard.  And let me just paste that in there, paste and go.   00:59:26,120 --> 00:59:31,340 There we are Mattila day and passwords. Alright,  so you can see that this folder or this file was   00:59:31,340 --> 00:59:38,150 hidden. And we have an interesting txt file here,  which again is quite scary to go we did open   00:59:38,150 --> 00:59:44,090 Firefox. Well, don't doesn't look like we need  that instance. So getting back to the topic here,   00:59:44,090 --> 00:59:50,360 for some reason, process unexpectedly closed  with. Alright, so that looks like we have a   00:59:50,360 --> 00:59:58,680 Java error there. So let me just go back in over  here. So again, we found an accounts dot txt file,   00:59:58,680 --> 01:00:05,940 what could that be? be caring. Let's click on  that. Oh boy. So again, we have accounts here.   01:00:05,940 --> 01:00:12,570 And well, I'm pretty sure you will know what this  means. This is just bad practice from the website   01:00:12,570 --> 01:00:17,100 developer, where he wrote notes. And essentially,  these are the accounts. Now let's see what else we   01:00:17,100 --> 01:00:22,980 can find. Let's see accounts. Nothing interesting  in accounts, because we now have the account. So   01:00:22,980 --> 01:00:28,530 that makes our brute force much easier. You then  have, let's see if we can find any passwords if   01:00:28,530 --> 01:00:33,960 they were ever saved here. I'm pretty sure they  are not. But we can also look for some interesting   01:00:33,960 --> 01:00:39,120 files here. That can be really interesting. Or you  can look at the sitemap if you want to. So let's   01:00:39,120 --> 01:00:43,680 also copy that. Let's see if it gives us access to  the sitemap also very, very important stuff there.   01:00:43,680 --> 01:00:50,520 Oh, yeah, so the sitemap, for some reason, we were  not able to process it. Alright, let's look for   01:00:50,520 --> 01:00:59,010 some other files here. Let me just open up Mattila  day again. So we have the get images. Let's see if   01:00:59,010 --> 01:01:04,170 we run the get images. Let's see what images we  can get. Again, I'm going pretty amateurish on   01:01:04,170 --> 01:01:07,470 this. I'm just clicking on everything. But I'm  just trying to show you the amount of files that   01:01:07,470 --> 01:01:12,930 you can find, as you can see, immediately, you  can find that the refresh button, you know all   01:01:12,930 --> 01:01:18,960 the icons related to the website. You have the  I hack banner. Oh, yeah, hackers for charity,   01:01:18,960 --> 01:01:26,670 man. So I'm talking about YouTube. Oh my god, what  an old logo that is the older BSP logo. Pretty   01:01:26,670 --> 01:01:32,010 cool. Pretty cool. And yeah, so you get the idea.  So this is how you actually go through website   01:01:32,010 --> 01:01:38,130 and find files that could contain you know, stuff  that is quite interesting, to be honest. So let's   01:01:38,130 --> 01:01:43,080 see what else we can find. I'm just going to go  to one more resource here that we've found, oh,   01:01:43,080 --> 01:01:49,200 we have to get register out. Now. That's what I'm  talking about copy URL to clipboard. It's actually   01:01:49,200 --> 01:01:54,150 it's actually quite fun. This why bug bounty  hunting is? Oh, yeah. Now this is what I'm told   01:01:54,150 --> 01:02:00,690 we can actually register. We can actually register  ourselves on the website. Now again, looking at   01:02:00,690 --> 01:02:07,030 the website from here, it doesn't look like we  can. Can we even register on this website? Not   01:02:07,030 --> 01:02:12,010 sure we can. For some reason, it's not actually  letting me scroll to the top. But hey, I don't   01:02:12,010 --> 01:02:16,720 really know what's going on there. So let's see  if we, yeah, we can definitely log in render and   01:02:16,720 --> 01:02:22,630 register. Sorry about that. We can register there.  So yes, it is the register. It does exist. So that   01:02:22,630 --> 01:02:29,890 wasn't actually hidden. But it was hidden. It was  hidden to the women when we spidered the website.   01:02:29,890 --> 01:02:34,630 So that means indeed, it was hidden, for obvious  reasons. Because the brute force for example,   01:02:34,630 --> 01:02:39,880 if you find the login, which is again here,  and again, if this is hidden, you can imagine   01:02:39,880 --> 01:02:47,440 the the damage that you can do so again, you can  log in from there. Set up database, whoo. Now,   01:02:47,440 --> 01:02:52,930 that's interesting. For some reason, it's not  letting me copy. Alright, so looks like we got   01:02:52,930 --> 01:03:00,790 set up database here. So yeah, we can Okay, I  do not want to manually edit the request. No,   01:03:00,790 --> 01:03:06,670 I do not want to manually edit the request. For  some reason my keyboard is being pressed here.   01:03:06,670 --> 01:03:12,280 While that's we admin, copy heroes to clipboard.  All right, sorry about that my spacebar was being   01:03:12,280 --> 01:03:19,480 mashed on by my tablet in front of me. Right.  So let me just there we are on. So no PHP MySQL   01:03:19,480 --> 01:03:24,220 errors, were resetting. So essentially reset the  database, and you can see the damage that this can   01:03:24,220 --> 01:03:29,740 do. So again, that is some good stuff that you can  have fun with, when especially with Mattila day,   01:03:29,740 --> 01:03:35,650 you can increase the security and find what other  files you can, you can find, you know, with zap,   01:03:35,650 --> 01:03:41,680 again, zap is a fantastic alternative that you can  use. If you know if you're not ready to invest in   01:03:41,680 --> 01:03:48,280 burp suite, that's totally fine. I used zap for  I think about three years, especially since 2014.   01:03:48,280 --> 01:03:55,060 I think I used it in till about I think 2016 or  17. I'm not too sure. And it worked great for me,   01:03:55,060 --> 01:04:00,280 I really enjoyed it. And I'm just getting back to  I'm just remembering all the tools used to work,   01:04:00,280 --> 01:04:04,928 it was actually quite a user intuitive  interface. Because I just remember right   01:04:04,928 --> 01:04:09,310 clicking means you can copy the URL, you  can inspect it, you can change the request,   01:04:09,310 --> 01:04:13,950 you can attack all that good stuff. And you know,  it's sorted out really, really well. Alright,   01:04:13,950 --> 01:04:17,430 and you can look at the requests here,  you can change them to whatever you want,   01:04:17,430 --> 01:04:23,640 and then send them you can intercept them. So  it essentially does whatever but a suite does.   01:04:27,730 --> 01:04:32,720 We're going to be looking at web application  firewalls, or waafs, as they're called. Now,   01:04:32,720 --> 01:04:38,570 this may be a new term for you and do not worry.  This is now when we move into a more professional   01:04:38,570 --> 01:04:44,420 level. And again, this is what I've been talking  about is most people out there or most documented   01:04:44,420 --> 01:04:49,880 documentation out there won't cover the most  important industry standards. You know, now when   01:04:49,880 --> 01:04:57,260 I'm talking about web application firewalls, what  I mean is, is these are the protection or these   01:04:57,260 --> 01:05:04,400 are the mitigation procedures. put in place to  protect a web application from attacks, obviously   01:05:04,400 --> 01:05:08,930 now as a penetration tester, or if you're  looking at it from a white hat, or a black hat   01:05:08,930 --> 01:05:13,400 perspective, from wider perspective, it's always  important to have a web application firewall. And   01:05:13,400 --> 01:05:16,970 I'll probably make another video showing you how  to set it up, it's really easy, and it's free,   01:05:16,970 --> 01:05:22,100 and it will probably removed about 20% of attacks.  Okay, so that's if you're a white hat. Now,   01:05:22,100 --> 01:05:27,020 if you're a black hat, and you're targeting, or  you're performing a penetration test legally on   01:05:27,020 --> 01:05:32,720 a website or web application, we usually what  the employer will tell you is they'll give you   01:05:32,720 --> 01:05:38,060 a scope of the project. And again, they might give  you the source code, etc, etc, you get the idea,   01:05:38,060 --> 01:05:43,730 you have your white box, testing, black box  and gray box. But coming back to the firewall,   01:05:43,730 --> 01:05:48,470 most of them will know that there is a firewall.  And that's because the person who set the website   01:05:48,470 --> 01:05:53,420 up for them in terms of hosting, or the web  application for them, will in most cases,   01:05:53,420 --> 01:05:58,760 on a professional level, have a web application  firewall. Now you might be a bit confused. And   01:05:58,760 --> 01:06:02,960 you might be saying, Well, why is this important  when performing a penetration test? Well, this   01:06:02,960 --> 01:06:08,060 is important because firstly, it's something that  most pen testers overlook. And if you know this,   01:06:08,060 --> 01:06:13,310 you've got an ace up your sleeve. Alright, so  essentially, what's happening is if it's being   01:06:13,310 --> 01:06:19,010 used, if a web application firewall is being  used, you obviously first need to detect it.   01:06:19,010 --> 01:06:23,090 And I'm going to show you how to detect it in  this video using a special tool that I don't   01:06:23,090 --> 01:06:28,100 think you've ever heard of. But it's also industry  standard. So this is a real secret, I don't know,   01:06:28,100 --> 01:06:33,290 for some reason, it's not just, it's something  that just hasn't caught up yet. But hopefully,   01:06:33,290 --> 01:06:38,180 after this video, you'll know about it. Alright,  so essentially, the purpose of a web application   01:06:38,180 --> 01:06:44,880 firewall is it protects the web application, you  know, from a firewall point of view in the sense   01:06:44,880 --> 01:06:51,120 that it blocks attacks, as one would expect them  to come. Now what does this mean for you? Well,   01:06:51,120 --> 01:06:57,690 this means that you will need to, you will  need to manipulate any type of data that is   01:06:57,690 --> 01:07:02,340 going to be encoded, alright. So what this  means is, if you're, if you're performing a   01:07:02,340 --> 01:07:06,630 penetration test that involves you manipulating  data and sending it back to the web application,   01:07:06,630 --> 01:07:12,870 then you need to encode it in a specific way to  bypass the firewall. Otherwise, it will be blocked   01:07:12,870 --> 01:07:17,490 by the firewall. And I'm sure most of you have  actually done this before. If you're just amateur   01:07:17,490 --> 01:07:22,140 penetration testers, and you've just begun, you'll  find that for some reason, your requests aren't   01:07:22,140 --> 01:07:27,660 being processed. And that's because they've, there  is a firewall set up to prevent these malicious   01:07:27,660 --> 01:07:32,910 requests from being processed. Okay, so again, web  application firewall is really, really important.   01:07:32,910 --> 01:07:38,790 Now, looking at the tool we'll be using, the tool  has actually a very, very funny name you for some   01:07:38,790 --> 01:07:43,530 of you might find it hilarious, it is called wolf  wolf. Now for those of you who have heard of it,   01:07:43,530 --> 01:07:48,900 you pretty much already know how to detect a web  application firewall, but it's really very, very   01:07:48,900 --> 01:07:54,720 simple. Alright, so just open up your terminal.  And what you want to do is you want to type in   01:07:54,720 --> 01:08:01,710 wolf wolf. Alright, so this is how it is going  to be spelt. So it's worth Wolf with a tooth with   01:08:01,710 --> 01:08:07,500 two zeros. And the syntax is pretty simple. If I  just hit enter, as you can see, we're forth a web   01:08:07,500 --> 01:08:12,570 application firewall detection tool. Alright, so  credit go to the author, it's actually it's a tool   01:08:12,570 --> 01:08:17,970 that's been there since the, I think almost the  last version of backtrack and the first version   01:08:17,970 --> 01:08:23,430 of Kali. So again, quite an old tool, I when I say  old, I mean, you know, I mean that with respect,   01:08:23,430 --> 01:08:28,770 given the fact that it's a really, really useful  and I've used it a lot because it saves you a lot   01:08:28,770 --> 01:08:36,540 of time. And what I'm talking about is, so let's  say we want to scan a website, okay. In this case,   01:08:36,540 --> 01:08:41,880 I have my WordPress server running here. And as  you can see, it's the site is being hosted on   01:08:41,880 --> 01:08:48,810 190 2.1 68 point 1.11. Alright, so I have that IP  opened up in my browser. And as you can see, it's   01:08:48,810 --> 01:08:52,380 a WordPress site. And this site is vulnerable.  And this is what we're going to be performing   01:08:52,380 --> 01:08:59,020 later on the penetration tests on. But for now, we  want to find out whether it has a firewall. Now by   01:08:59,020 --> 01:09:03,880 default, I know it doesn't have a firewall. But  let's see what we're for Fidelis, alright, so the   01:09:03,880 --> 01:09:08,680 syntax is very simple. As you can see, you just  type in wolf Wolf, and you enter your URL or your   01:09:08,680 --> 01:09:13,870 URL, so you can enter as many as you like. Okay,  so I'll give you an example of how to go about it,   01:09:13,870 --> 01:09:21,490 make sure you enter your HTTP or HTTPS protocol.  And we just, let's try that out. So Wolf, Wolf,   01:09:21,490 --> 01:09:29,560 and we specify our protocol HTTP in this case, and  the IP address 190 2.1 68 point 1.11. All right,   01:09:29,560 --> 01:09:34,570 now in this case, I'm pretty sure that it  won't detect any web application firewall.   01:09:34,570 --> 01:09:40,150 So let me just hit Enter. And as you can see,  no web application firewall detected by the   01:09:40,150 --> 01:09:44,920 generic detection. Alright, now this is very,  very advanced. And this tool is an industry   01:09:44,920 --> 01:09:49,960 standard. And if it does tell you that there is  no web application firewall, then by all means,   01:09:49,960 --> 01:09:55,720 I can guarantee that it will it does not have  a firewall. Now let's look at one of my sites   01:09:55,720 --> 01:10:02,950 that I currently own. It's a site that I use. It's  actually My web development company that obviously   01:10:02,950 --> 01:10:08,800 we use for web development now I've predicted this  site with a web application firewall provided by   01:10:08,800 --> 01:10:12,640 CloudFlare. Now, for those of you who are web  developers, and when you're performing your   01:10:12,640 --> 01:10:16,870 hosting, you know that using CloudFlare is awesome  because it allows you to optimize your site for   01:10:16,870 --> 01:10:22,900 speed. It allows you to purchase assets and make  your site faster, protected, and again, protected   01:10:22,900 --> 01:10:29,110 from DDoS attacks, etc, etc, all the good stuff.  So let's see if it will actually detect this. So   01:10:29,110 --> 01:10:35,170 I'm going to type in wolf wolf. I know that name  is really, really funny. The protocol is HTTPS,   01:10:35,170 --> 01:10:43,000 https like so and I'm going to specify the  site which is Elgon studios.com. Alright,   01:10:43,000 --> 01:10:48,280 Elgon studios.com. And if I enter, as you can  see, it's going to start checking the site, give   01:10:48,280 --> 01:10:53,740 it a few seconds, it shouldn't take any much. You  know, a lot of time, and as you can see the site,   01:10:53,740 --> 01:11:00,970 Elgon studios.com is behind CloudFlare. Right now,  what this means is that most of the most of the   01:11:00,970 --> 01:11:07,360 attacks that involve manipulation of data will  be in some way blocked. And you know, you won't   01:11:07,360 --> 01:11:12,530 get your response back the way you wanted it. And  the render wouldn't be the same. Right now. Again,   01:11:12,530 --> 01:11:16,550 as you can see, it detected that it is behind  a web application firewall. Now the next step   01:11:16,550 --> 01:11:23,570 is how to encode these, how to encode encode your  your requests that you're going to be sending to   01:11:23,570 --> 01:11:27,890 the web application. And that's what we'll be  looking at as we increase the security level,   01:11:27,890 --> 01:11:32,600 using the the dam vulnerable web application.  Alright, so I thought, this is something that   01:11:32,600 --> 01:11:37,160 I really need to share with you, again, it's  going to really help you. And I promise you, this   01:11:37,160 --> 01:11:41,930 is something that, you know, if you go for a job  interview, or you're performing a penetration test   01:11:41,930 --> 01:11:46,940 for a company, this is something that most of the  network or systems administrators are very keen   01:11:46,940 --> 01:11:51,890 on, they want to know whether you really know your  stuff, and whether you're really up to date with   01:11:51,890 --> 01:11:56,870 how to detect, first of all, because information  gathering is really important. And as you can see,   01:11:56,870 --> 01:12:01,640 this tool is fantastic. And once you know there's  a firewall, you then have a better idea of how to   01:12:01,640 --> 01:12:05,780 target and you won't be wasting time. Again,  that's something that most of the amateurs or   01:12:05,780 --> 01:12:11,270 beginners do. They waste a lot of time trying  different commands that they've seen, but they   01:12:11,270 --> 01:12:15,740 find the date and they see that it doesn't work.  And they're like, how is this possible? Am I doing   01:12:15,740 --> 01:12:22,340 something wrong? The truth is, the web application  is probably well protected. So again, you know,   01:12:22,340 --> 01:12:26,960 do not use this for any malicious purposes. Again,  this is simply an information gathering tool.   01:12:30,960 --> 01:12:36,600 I'm going to be showing you how to use der Buster  to discover directories and files on a website or   01:12:36,600 --> 01:12:41,940 a web application. You might be asking yourself,  what is der Buster? Or if you haven't heard of   01:12:41,940 --> 01:12:47,970 der buster, let me explain it to you. Alright,  so the airburst is essentially a tool that was   01:12:47,970 --> 01:12:54,090 developed by OS, the open web application security  project, and essentially uses a brute forcing to   01:12:54,090 --> 01:12:59,220 find commonly used directories and file names  on servers. Alright, so this tool is extremely   01:12:59,220 --> 01:13:03,810 useful for those of you who are doing CTF, for  those of you who are bug bounty hunters, because   01:13:03,810 --> 01:13:10,590 essentially, it allows you to understand the  structure of a web web application or a website in   01:13:10,590 --> 01:13:15,630 terms of the files and directories and how they're  structured. Alright, so why is this important?   01:13:15,630 --> 01:13:21,840 Well, this is important because this will help us  understand how we can attack a site or what type   01:13:21,840 --> 01:13:26,820 of attack vectors we can, we can we can find, you  know, so for example, if I the web application,   01:13:26,820 --> 01:13:31,920 and I'm going to demonstrate that right now, and  I scanned it with the bust, and we found some   01:13:31,920 --> 01:13:37,560 hidden directories and hidden files, we can use  these as attack vectors. Alright, so as I said,   01:13:37,560 --> 01:13:43,410 it also allows you to find hidden directories or  files that are hidden from the public. So this   01:13:43,410 --> 01:13:48,510 can also lead you to, to finding additional  resources that could have been hidden away   01:13:48,510 --> 01:13:55,230 by the devs that like for example, admin pages,  etc, etc. Alright, so how does it work? Well,   01:13:55,230 --> 01:14:00,960 really simply, once you start up there, Buster,  and again, as I mentioned, it uses brute forcing   01:14:00,960 --> 01:14:06,480 so I'll explain where wordless come into play.  So you open it up and you select the URL of the   01:14:06,480 --> 01:14:11,850 web application or the website and you specify  the port The port is is the is definitely going   01:14:11,850 --> 01:14:19,500 to be HTTP sewed a the a port 80 or Port 443. And  then you select the word list now, in this case,   01:14:19,500 --> 01:14:27,150 Cali annex already has a dub dub Buster word list  that that are designed, it has three of them that   01:14:27,150 --> 01:14:31,650 are designed for different types of scenarios.  And I'll explain them as we move along. All right,   01:14:31,650 --> 01:14:37,020 and essentially how it works is once you start  the brute force attack, it will send HTTP GET   01:14:37,020 --> 01:14:42,090 requests, and it will wait for the response from  the server or the web, the web application. If   01:14:42,090 --> 01:14:48,700 it gets a 200 response. That means that yes, that  directory exists. Alright, if it gets if it gets a   01:14:48,700 --> 01:14:54,490 bad response, meaning like 400 or four or three,  meaning no access, then it'll it will it will   01:14:54,490 --> 01:14:59,530 know that that directory of file doesn't exist. So  it's essentially testing directories on the server   01:14:59,530 --> 01:15:05,470 against This, this word list. So it will check,  for example, is there a temp folder, if it sends   01:15:05,470 --> 01:15:10,840 a temp request to the server, it gets a response,  a positive response, then it knows it's there,   01:15:10,840 --> 01:15:16,390 and then it will enumerate them. Alright, so let's  start off really, really simply. So I'm on Cali   01:15:16,390 --> 01:15:24,010 the next, I have the OS, broken web application,  right here. And I'm going to be demonstrating two   01:15:24,010 --> 01:15:27,640 scenarios. So you can see I'm running that  here. And that has a lot of vulnerable web   01:15:27,640 --> 01:15:33,100 applications. But the whole idea is to demonstrate  how directories can be found. Alright, and why   01:15:33,100 --> 01:15:38,650 this is extremely important, especially for a  web application penetration tester. Alright, so   01:15:38,650 --> 01:15:44,050 I'm gonna pull up Firefox. And as you can see, you  have the open web application project right here,   01:15:44,050 --> 01:15:51,850 the OS B web, as they call it, and it has plenty  of ways of me testing this. But what if I was to   01:15:51,850 --> 01:15:56,890 just test the entire server? Alright, so this is  a web server. What if I was to test the entire web   01:15:56,890 --> 01:16:02,560 so well, I'm guessing that there going to be a lot  of files and directories. So what we can do is,   01:16:02,560 --> 01:16:08,140 we can start off with a perfect example of how  this will work is let's say you're targeting a   01:16:08,140 --> 01:16:12,220 WordPress site. So I'm going to open up the broken  WordPress. Now, of course, this is an very old   01:16:12,220 --> 01:16:18,310 one, and we're not really exploiting anything. But  by using this example, it will let us understand   01:16:18,310 --> 01:16:24,940 how we can enumerate the different directories and  folders, you know, on this WordPress installation,   01:16:24,940 --> 01:16:29,440 or if you are target targeting a WordPress  site, this is the way you do it. So I'm going   01:16:29,440 --> 01:16:34,900 to copy the URL with the with the directory right  here. So it we know it's in the WordPress folder,   01:16:34,900 --> 01:16:39,760 because that is the root directory of the of  the web server and we're selecting the WordPress   01:16:39,760 --> 01:16:45,370 installation. But for the website, you will  select the URL. Alright. And that's for the port,   01:16:45,370 --> 01:16:50,650 we know that this is the default HTTP port, which  means it's Port 80. Alright, so I have doorbuster.   01:16:50,650 --> 01:16:55,630 Right here, if you can't find it, just you can use  the start menu and type in der buster, it's going   01:16:55,630 --> 01:17:00,630 to be like so just this click on it, and give it a  few seconds to start up. So again, it was designed   01:17:00,630 --> 01:17:06,390 by the OS team. So it works really, really well.  And again, this is something that I'm sure if you   01:17:06,390 --> 01:17:12,240 if you are a web application penetration tester,  or you do do the CTF challenges, then you will,   01:17:12,240 --> 01:17:18,180 you'll know that use this tool a lot. Alright, so  we in here, we have the target URL, and that will   01:17:18,180 --> 01:17:26,580 we will paste it Alright, so we can paste it right  here. So Ctrl V, and that is the URL. Now in the   01:17:26,580 --> 01:17:31,860 work method, if you want to, if you want the scan  to be faster, you can use the GET requests, but   01:17:31,860 --> 01:17:37,380 what we can do is auto switch them from the head  and get and that will give us a more robust or a   01:17:37,380 --> 01:17:42,690 more accurate response rate. Alright, so in terms  of the number of days, this is how fast you want,   01:17:42,690 --> 01:17:47,760 you want the scan or the brute force to be, so the  faster the better depending on your hardware. And   01:17:47,760 --> 01:17:52,740 of course, you don't want to overload the server,  so I'm just going to go hit click on Go faster,   01:17:52,740 --> 01:17:57,930 that's probably works the best for me. But if you  wanted to run faster, then that means it's gonna,   01:17:57,930 --> 01:18:02,550 it's gonna have multiple requests and threads  being sent from your computer. Alright,   01:18:02,550 --> 01:18:07,590 so I like keeping it at just 200 threads, which  is go faster. And because I'm testing my own web   01:18:07,590 --> 01:18:13,680 server, I can, you know, I can pretty much  increase it to whatever I want. So usually,   01:18:13,680 --> 01:18:18,600 if you're talking about a bigger server or a  bigger web application, then it doesn't really   01:18:18,600 --> 01:18:23,100 matter how many requests or many threads you use,  it will not really affect the performance of the   01:18:23,100 --> 01:18:28,020 web server. But if I was to run it at maybe a  maximum speed, you'd see that the web server   01:18:28,020 --> 01:18:34,590 would be lagging out, you know, out of the amount  of requests that are being sent. Because you know,   01:18:34,590 --> 01:18:39,210 you have to understand it from a fundamental point  of view, we are requesting different web pages,   01:18:39,210 --> 01:18:44,280 and the server has to process them. So if the if  the if the server is not running on on, you know,   01:18:44,280 --> 01:18:49,380 good resources, like it's running on one gigabyte  of RAM, it's very easy to make it lag out,   01:18:49,380 --> 01:18:54,450 and to actually cause some sort of a denial of  service just because of the amount of requests.   01:18:54,450 --> 01:18:59,700 But in this case, we are performing it you  know, with with an ethical perspective. So now,   01:18:59,700 --> 01:19:05,070 you want to select a list based brute force or you  can use a pure brute force. But I don't recommend   01:19:05,070 --> 01:19:10,740 that that doesn't really work. And you now need to  select your word list your doorbuster word list.   01:19:10,740 --> 01:19:16,020 Now by default on Kali Linux and on paradise,  these are found in the user share folder on the   01:19:16,020 --> 01:19:20,430 under word list. And you can find the doorbuster  word list right there. So I'm going to show you   01:19:20,430 --> 01:19:24,360 that right now. So I'm going to browse, I'm going  to go to my root and I'm going to go into user   01:19:24,360 --> 01:19:30,030 and I'm going to go into share. And let's go into  Word Lists here. Let's see if I can find it. It's   01:19:30,030 --> 01:19:38,160 obviously with a W. Where it Where is it? Let's  see. Let's see. Let's see where is wordless story   01:19:38,160 --> 01:19:42,180 if I can see this. Yeah, there we are. Sorry about  that. wordlist and you now want to go into der   01:19:42,180 --> 01:19:46,770 buster. Alright, so there is going to be a folder  called der buster. And now you might be a little   01:19:46,770 --> 01:19:52,470 bit confused. Well, really, you don't need to need  me to be confused. That's why I'm here. So as a   01:19:52,470 --> 01:19:58,050 beginner you might be wondering like which one  is better. Now as an advanced penetration test,   01:19:58,050 --> 01:20:03,000 I know which one is the best in Most cases,  it's going to be the medium the directory list   01:20:03,000 --> 01:20:09,120 2.3 medium dot txt. Now, if you're scanning a very  small web application that that's not that really   01:20:09,120 --> 01:20:16,350 complex, like a simple HTML site, you know, HTML,  CSS, whatever you want to call it, then I would   01:20:16,350 --> 01:20:21,060 recommend the smaller one. But if you're scanning  a big site, like a WordPress installation,   01:20:21,060 --> 01:20:27,390 or a Joomla installation, then you should use the  medium one, this will work 99% of the time unless   01:20:27,390 --> 01:20:33,120 your your, your requests are being blocked by  either a web application firewall or by the,   01:20:33,120 --> 01:20:38,760 the host. So I'm just going to select list.  Alright. And now in terms of these other options,   01:20:38,760 --> 01:20:42,450 you can see it's, it's going to essentially  brute force brute force the directories,   01:20:42,450 --> 01:20:47,160 the files, it's going to be recursive, which is  great. And the directory, you must specify the   01:20:47,160 --> 01:20:53,340 directory if it is if you are trying to perform  a scan that is directory sensitive. Alright,   01:20:53,340 --> 01:20:59,190 and standard start point, just leave it like  that. And you now want to hit start. Alright,   01:20:59,190 --> 01:21:03,720 so once you start is going to start brute forcing  the web server against, it's going to start   01:21:03,720 --> 01:21:09,270 sending the request. And if it gets the responses,  the positive responses is going to, it's going to   01:21:09,270 --> 01:21:14,460 understand that yes, that directory does exist.  Now you can see we have a response that is being   01:21:14,460 --> 01:21:20,370 sent here. And it's going to tell tell you that  it is unable to determine a consistent failed   01:21:20,370 --> 01:21:27,450 response, which means some directories and files  are being you're getting a negative or you're   01:21:27,450 --> 01:21:31,800 getting a no access response, meaning that that  directory doesn't exist. So what you can do is   01:21:31,800 --> 01:21:36,990 just hit Cancel to these ones in it Yes. And it's  going to continue scanning the other ones. Now of   01:21:36,990 --> 01:21:41,430 course down here you can see since it's performing  a brute force, you can look at the current speed,   01:21:41,430 --> 01:21:47,040 which varies dependent on the amount of  directories, the average speed, and it will   01:21:47,041 --> 01:21:52,021 tell you the total amount of requests done out of  the amount that could be done depending on on the   01:21:52,021 --> 01:21:56,341 word list that you have selected. And finally, you  have the time to finish. Now, of course, this will   01:21:56,340 --> 01:22:03,030 vary depending on a lot of factors. But mostly  it depends on the speed of the scan that you've   01:22:03,030 --> 01:22:07,290 selected, and the and the word list. So you have  your scan information here, it's going to tell you   01:22:07,291 --> 01:22:13,321 what folders and files it's testing. And in here,  you can see the results in terms of directories   01:22:13,320 --> 01:22:18,150 and files that it was able to find. And in the  results, this is going to give you the directory   01:22:18,150 --> 01:22:23,400 structure as to how files and folders are being  structured on the web application. Now by default,   01:22:23,400 --> 01:22:29,040 right now, you can see the amount of the  files and folders that it has found are,   01:22:29,041 --> 01:22:34,201 for example, the WordPress register dot php.  So if we open that, if you right click on it,   01:22:34,200 --> 01:22:39,270 you can open it in the URL, or you can view  the response that it gave. And you can copy it,   01:22:39,271 --> 01:22:43,711 you understand you get the basic functionality  here. And then you can open it in your browser.   01:22:43,710 --> 01:22:48,270 So again, you see that we are finding files that  we otherwise wouldn't have known existed. Now,   01:22:48,271 --> 01:22:53,551 of course, for a default WordPress installation,  you would have guessed that this does exist. But   01:22:53,550 --> 01:22:59,160 remember, most people are for volken, for most  other installations on configured figurations,   01:22:59,160 --> 01:23:05,490 this can be a great way of finding files and  folders that you didn't know existed. And again,   01:23:05,490 --> 01:23:09,720 discovering them is very, very important. And  this can give you different attack vectors. So   01:23:09,720 --> 01:23:14,760 for example, if I went to the admin dot php, and  it forced me to log in, that might be a good place   01:23:14,760 --> 01:23:20,460 to start brute forcing, if I had credentials, if  not, you can choose Select another attack vector.   01:23:20,460 --> 01:23:25,290 So let me just move back here you can see we have  the register page here, which we just clicked on.   01:23:25,291 --> 01:23:30,871 Let's look at the WordPress login dot php. So  I'm gonna open that up in the browser. Now you   01:23:30,870 --> 01:23:35,370 can see the server is not responding. And that's  another point that I wanted to point out. If you   01:23:35,370 --> 01:23:41,270 want to be as you know, right now we are being  as promiscuous as possible. Because we it's   01:23:41,270 --> 01:23:46,880 not really a web application that is delivering  service to other people. But because it's hosted   01:23:46,880 --> 01:23:51,740 on my local area network. So in this case, you  can do a performing a type of denial of service.   01:23:51,740 --> 01:23:57,170 And that's because the server is located very,  very minimal resources to this virtual machine.   01:23:57,170 --> 01:24:01,370 So that's why it's kind of lagging out. Alright,  so that's something to take into consideration.   01:24:01,370 --> 01:24:07,010 Now if I was to, to pause the attack, like so if I  was to just pause it, remember, you can pause it,   01:24:07,010 --> 01:24:12,470 and you can stop it. And let me just go back  here. And let's see if we can reload these pages,   01:24:12,470 --> 01:24:18,050 they should be able to, to be reloaded quick  enough. Let me let me just load that up. And   01:24:18,050 --> 01:24:24,980 we can close this one. Let's see if the WordPress  register page does open up. If this virtual, yeah,   01:24:24,980 --> 01:24:29,840 there we are. So you can see even though this  is a very old WordPress installation, that we   01:24:29,840 --> 01:24:35,090 were causing it to lag out. So always keep that in  mind that the amount of threads that you say can   01:24:35,090 --> 01:24:40,610 affect the performance of the website of or of the  web application and you don't want to cause any   01:24:40,610 --> 01:24:47,180 any impact to customers if you're performing the  test on a real world working web application or   01:24:47,180 --> 01:24:51,950 website. Alright, just something you might want to  take into consideration. So we're going to resume   01:24:51,950 --> 01:24:56,360 it and of course I'm not going to expect to find  anything we add here. Although this WordPress   01:24:56,360 --> 01:25:01,760 installation is designed to be vulnerable.  So you can also change the number of threads   01:25:01,760 --> 01:25:07,280 running right here. So if I wanted to run, you  know, maybe on 10 threads, which is quite slow,   01:25:07,280 --> 01:25:13,700 that means you will get, the enumeration process  will take longer. So it's all about balancing your   01:25:13,700 --> 01:25:18,950 resources and understanding what you're trying  to look for. And of course, this can be a very,   01:25:18,950 --> 01:25:26,510 very useful tool. When doing bug bounties, or,  or CTF for that matter, especially hack the box,   01:25:30,250 --> 01:25:34,459 we are going to be looking at something that is  extremely important and something that should be   01:25:34,459 --> 01:25:40,189 understood completely, and that is cross site  scripting. Alright, now before we get started,   01:25:40,189 --> 01:25:44,989 I'm just going to explain what we're going to  be looking at explain what we're going to be   01:25:44,990 --> 01:25:50,330 looking at in this video, we're going to start  off with explaining what cross site scripting is,   01:25:50,330 --> 01:25:55,340 I'm going to be showing you the environment  that we'll be using for testing any of these,   01:25:55,340 --> 01:26:01,250 any of these attacks just because they allow  us to illustrate or they allow me to explain   01:26:01,250 --> 01:26:05,930 how everything works, because that's the most  important thing for me is that you understand   01:26:05,930 --> 01:26:11,570 what you're you're listening to, and you have a  good representation of what's going on. Alright,   01:26:11,570 --> 01:26:18,410 so I'll be explaining stored. I'll be explaining  the reflected stored and Dom cross site scripting.   01:26:18,410 --> 01:26:24,080 Alright, so let's get started with me explaining  what environment I'm currently running. So you   01:26:24,080 --> 01:26:30,500 can see that I'm running Kali Linux right now.  But I am going to be using the OS broken web   01:26:30,500 --> 01:26:34,700 applications project. So I'll have this in  the description section, it is essentially   01:26:34,700 --> 01:26:40,220 a virtual machine, that you can easily just run  on VirtualBox or VMware. I'm currently running   01:26:40,220 --> 01:26:49,730 it here. As you can see, I just got the local  IP, it's 190 2.1 68 point 1.111. All right, so   01:26:49,729 --> 01:26:56,299 I have that running. And I'm running this on Kali  Linux, and I already have opened up the URL in my   01:26:56,300 --> 01:27:02,060 browser. So you can see from here, I've opened  up v whap. And I've opened up webgoat, because   01:27:02,060 --> 01:27:07,190 that's what I'm going to be using to explain each  of these cross site scripting attacks. So if I   01:27:07,189 --> 01:27:13,939 was to do that false to just open up 190 2.1 68  point 1.11, yours could be different, it should   01:27:13,939 --> 01:27:19,689 be different. Depending on your IP configuration,  and subnet, then it'll take you to the OS, b,   01:27:19,690 --> 01:27:25,760 w A, or the OS broken web applications project.  The latest version, as of recording this video   01:27:25,760 --> 01:27:34,550 is version 1.2. So we will be using webgoat and B  web, or the broken web application project for for   01:27:34,550 --> 01:27:41,240 this demonstration. So the default credentials for  webgoat are going to be guest for the username and   01:27:41,240 --> 01:27:47,770 guest for the password. And for B whap. It should  give you the prompt right over there. I think it's   01:27:47,770 --> 01:27:53,305 going to be bug app or something like that. But  irregardless, it will tell you what it is. All   01:27:53,305 --> 01:27:58,060 right. So make sure you open that up, and you have  that all set up. So I've logged in to be web and   01:27:58,060 --> 01:28:03,460 I have a web goat started up right here. Alright,  so let me close that up. And we are ready to go.   01:28:03,460 --> 01:28:08,410 Now before we even move on into performing these  attacks, it's very important to understand what's   01:28:08,410 --> 01:28:14,290 going on here with with cross site scripting,  what it is how it works. And what are you exactly   01:28:14,290 --> 01:28:19,540 taking advantage of right now, this is where a lot  of people make mistakes. And if you want to be a   01:28:19,540 --> 01:28:24,670 successful web application penetration tester, you  need to understand, you know, from a fundamental   01:28:24,670 --> 01:28:30,070 level, what's going on here. Alright, so let's  get started. What is cross site scripting? Well,   01:28:30,070 --> 01:28:38,200 simply put it is the process of injecting a script  into a into the parameter in a URL to attack   01:28:38,200 --> 01:28:44,890 a user of the site or to potentially attack the  server side of the website or the web application,   01:28:44,890 --> 01:28:49,840 right? So essentially, is the inject the  injection of a script into the parameter of   01:28:49,840 --> 01:28:54,910 a URL. All right, that's essentially what it is.  Now, of course, this may be quite confusing, but   01:28:54,910 --> 01:29:02,050 don't worry, I'll explain what's going on here. So  let's start off with with, first of all explaining   01:29:02,050 --> 01:29:07,960 the three types of cross site scripting. All  right, the first one is reflected and then   01:29:07,960 --> 01:29:14,680 we have stored and Dom. So with reflected what's  happening here is the data is inputted and then,   01:29:14,680 --> 01:29:20,260 you know, reflected directly back back on the  screen. So I'll explain this in a second. Alright,   01:29:20,260 --> 01:29:27,340 so if we are to look at this from a fundamental  perspective, I'll show you how to access this,   01:29:27,340 --> 01:29:32,320 you know how to navigate the view up. Just give  me a second, let me explain what's going on. So   01:29:32,320 --> 01:29:37,270 essentially, what's happening with reflected cross  site scripting is that the input is going to be   01:29:37,270 --> 01:29:42,280 stored in the parameter of the URL. All right,  and I'll explain how this differs with each type   01:29:42,280 --> 01:29:46,630 of attack. Because many of you will point out and  say, well, it's not only to do with parameters,   01:29:46,630 --> 01:29:52,450 and don't worry, I'll explain all of this.  Alright, so we can essentially manipulate the the   01:29:52,450 --> 01:29:58,511 parameter of the URL, so that we can essentially  run a script. Now what type of script we can run a   01:29:58,510 --> 01:30:02,710 malicious script that is based on in JavaScript,  and I'll explain that right now. So you can see   01:30:02,710 --> 01:30:07,420 with our portal, you don't want to touch anything  here, you can set the security level. But for now,   01:30:07,420 --> 01:30:12,580 I recommend setting it to lope. Not that that's  going to hurt anyone's ego. Because remember,   01:30:12,580 --> 01:30:18,280 you have to be humbled to begin, and you need to  understand what's going on first. So we will open   01:30:18,280 --> 01:30:23,440 up the Jews, the bugs section here, and we want  to go down into cross site scripting. And we want   01:30:23,440 --> 01:30:28,600 to go into reflected which essentially deals with  the get the get request. So we're going to start   01:30:28,600 --> 01:30:32,770 off with that. And this will really make you  understand what's going on here. So if I click   01:30:32,770 --> 01:30:39,610 on that, and I just hit hack. Alright, so now it's  going to give us a prompt here. And you might be   01:30:39,610 --> 01:30:45,220 asking, Well, what what do you mean, what exactly  is going on, if I was to not enter any details   01:30:45,220 --> 01:30:50,440 into the, you know, into these fields, right  here. So for example, you can see I just had a   01:30:50,440 --> 01:30:55,330 suggestion there, that's because I was testing it  out. But if I was to hit go, you can see that in   01:30:55,330 --> 01:31:01,300 the URL, we do have the input here. So you can see  the values can be edited directly into the form.   01:31:01,300 --> 01:31:07,240 So you can see first name has no value. And then  we have the last name, which again has no value,   01:31:07,240 --> 01:31:11,500 and you can see that it is submitting a form.  So what we can do is run some JavaScript code   01:31:11,500 --> 01:31:16,180 in here. And the most common way of explaining  what's going on here, of course, not running a   01:31:16,180 --> 01:31:21,100 very malicious code right now, it's essentially  explaining and demonstrating that it does work is   01:31:21,100 --> 01:31:26,530 I can run a piece of code here. Now, of course,  when you put this into a practical perspective,   01:31:26,530 --> 01:31:32,230 many sites are going to filter the content that  you can enter in these fields, all these forms,   01:31:32,230 --> 01:31:38,260 and will essentially will not allow you to  run JavaScript code and you know, obviously,   01:31:38,260 --> 01:31:45,220 to protect, protect the site from these type of  attacks. But what you can do is encapsulated to   01:31:45,220 --> 01:31:49,150 encode it in a different type of language.  Or, as I said, I'll show y'all everything,   01:31:49,150 --> 01:31:55,090 or how all of this works. So this right, right  now, being the current security level, as low,   01:31:55,090 --> 01:32:01,810 we are a lot a lot essentially encode, it will  not verify or validate what we're entering in   01:32:01,810 --> 01:32:07,720 here what input is being given. So if we were  to type in a script here, so we can say script,   01:32:07,720 --> 01:32:12,580 and you can see the recommendation there script,  that's mine. So if I was to type in alert, and   01:32:12,580 --> 01:32:17,560 this is JavaScript, so I'm pretty, I'm pretty sure  you can you know what's going on. So we can say,   01:32:17,560 --> 01:32:30,310 Hello world. This is an example of reflected  accesses, or cross site scripting, and we can   01:32:30,310 --> 01:32:35,200 close that operate now. And then we need to close  the script. So we can do that in the next field or   01:32:35,200 --> 01:32:39,850 the next parameter. Most people like doing it from  the start. But this is just to show you how robust   01:32:39,850 --> 01:32:45,970 this can be. So I type in I close the script and  hit go. And as you can see, it gives us the alert,   01:32:45,970 --> 01:32:52,240 which is what we and we which is what we used  as a form of, of me showing you that it does   01:32:52,240 --> 01:32:57,880 work and it will be processed, the input will be  processed and will be sent back to you, you being   01:32:57,880 --> 01:33:04,000 the client. And we can just hit OK. And that was  an example of reflected excess cross cross site   01:33:04,000 --> 01:33:08,260 scripting, using the get method. Now of course  we can, I can replicate this many, many times   01:33:08,260 --> 01:33:14,110 using the other types of cross site scripting, for  example, with the post, etc, etc. We'll be looking   01:33:14,110 --> 01:33:19,240 at all of that. But for now we need to understand  what's going on here. Now next, we need to look   01:33:19,240 --> 01:33:24,520 at stored cross site scripting, this is probably  my favorite because of the potential that it does   01:33:24,520 --> 01:33:30,250 have. Alright, so let's go into the juicy bug menu  here. And we want to go into cross site scripting,   01:33:30,250 --> 01:33:37,120 and we want to go we want to go for the blog,  cross site scripting stored cross site scripting,   01:33:37,120 --> 01:33:41,170 and we're gonna select blog, and I'll  explain why in a second. Alright, so first,   01:33:41,169 --> 01:33:46,599 let me explain what stored cross site scripting  is. So essentially, with this with the cross site   01:33:46,600 --> 01:33:52,030 scripting attacks, more specifically, these stored  attacks, essentially, what's happening is you're   01:33:52,030 --> 01:33:58,420 attacking the input. And you're essentially  attacking the input that is to be stored or   01:33:58,419 --> 01:34:03,039 you're attacking the data, or, essentially, I'll  explain this really simply, so you're attacking   01:34:03,040 --> 01:34:08,830 the input that is to be stored on a database. So  what you're doing is you're essentially injecting   01:34:08,830 --> 01:34:13,480 malicious code that will be saved into a database,  or that is going to be saved by the server,   01:34:13,479 --> 01:34:19,780 or the web application server. And then you can  definitely you since it's being stored, you can   01:34:19,780 --> 01:34:24,760 access it later on or other users can access it.  And for example, if it's running malicious code,   01:34:24,760 --> 01:34:29,290 it can trigger different things like opening  the webcam of a user stealing different type of   01:34:29,290 --> 01:34:34,540 information. I'm not going to go into what you can  do with it, but you can really do a lot of stuff,   01:34:34,540 --> 01:34:39,700 a lot of malicious stuff with code. Alright, so  let me explain what's going on here. So with this   01:34:39,700 --> 01:34:45,940 stored, cross site scripting, you can essentially  inject malicious code into the database again,   01:34:45,940 --> 01:34:51,850 that then that when accessed runs this  malicious code. Alright, so if you can see   01:34:51,850 --> 01:34:57,290 this is an example of a blog. Let me explain what  I mean the best places to implement stored cross   01:34:57,290 --> 01:35:04,510 site scripting is in places like means, you know  forums. And again, as you can see write your blog   01:35:04,510 --> 01:35:09,460 in the form of comments that you know, or pages  that can be accessed later, or data that is being   01:35:09,460 --> 01:35:15,010 stored in directly into the database, any database  for that matter as long as it's being stored,   01:35:15,010 --> 01:35:20,860 okay, so we can type in something like hello.  And we can submit that to the database. And   01:35:20,860 --> 01:35:25,600 you can see it's getting stored. And you have  the different tables, you have the the number,   01:35:25,600 --> 01:35:33,880 the owner, the date and the entry. So now we can  also run a script in here. Alright, so what if we   01:35:33,880 --> 01:35:39,640 were to enter Java scripts, and again, this data,  given our security level is any of the data that   01:35:39,640 --> 01:35:45,010 we're entering is not being validated. So you  can essentially enter it raw. Now in reality,   01:35:45,010 --> 01:35:49,900 if you go and try and enter a script in the  native will not be accepted, because, again,   01:35:49,900 --> 01:35:53,470 they're protecting their site against that.  That's one way of mitigation, very basic,   01:35:53,470 --> 01:35:58,480 I'm sure you know what I'm talking about. Alright,  so enough of me rambling on. So if we are doing   01:35:58,480 --> 01:36:04,990 enter the same script we entered, we are to say  script. And we then say, alert, for example,   01:36:04,990 --> 01:36:09,430 we can you can use any type of JavaScript code  you want here, and you can experiment, you know,   01:36:09,430 --> 01:36:15,040 you these web applications are there for you to  experiment and test your skills out. So first   01:36:15,040 --> 01:36:25,120 to say, Hello world. This is stored out stored  cross site scripting, and we just close that up   01:36:25,120 --> 01:36:29,980 there. And of course, we have to close the script,  because we know that that will not execute if we   01:36:29,980 --> 01:36:37,630 do not code it correctly. Okay, so now we can we  can add that. And if I was to just hit submit,   01:36:37,630 --> 01:36:43,060 right, now, you can see that it's going to store  and with that being the latest blog post, you can   01:36:43,060 --> 01:36:46,420 see it's going to tell you, it's going to execute  the script. And it's going to say hello world.   01:36:46,420 --> 01:36:52,420 This is stored cross site scripting. So an example  of a blog, if you're to post this on a page or a,   01:36:52,420 --> 01:36:58,780 you know, to make a blog post and inject this  script in, anyone opens that page will essentially   01:36:58,780 --> 01:37:04,630 run that malicious code. And whatever that code  does, can then furthermore, you know, cause damage   01:37:04,630 --> 01:37:09,880 to the user or to the server depending on what you  want it to do. So it's all dependent on what the   01:37:09,880 --> 01:37:14,200 attacker is to do. Remember what I told you in  the first video of this series, it's all about   01:37:14,200 --> 01:37:19,600 your mindset, and your your your willingness to  break things and to find out what does and doesn't   01:37:19,600 --> 01:37:27,040 work. Okay, so that was an example of stored  cross site scripting. And as I've mentioned,   01:37:27,040 --> 01:37:32,260 the most important thing to understand is this in  this scenario, the data is not being validated if   01:37:32,260 --> 01:37:37,750 it is being validated. And I'll show you that in  a second. Or probably in the next set of videos,   01:37:37,750 --> 01:37:43,210 we'll increase the security level, and I'll show  you how to get you know past this, you can see   01:37:43,210 --> 01:37:50,890 how things change as you move along in terms of  security levels. So I was going to use the V whap.   01:37:50,890 --> 01:37:55,960 This my first time using it. So I had to get a  bit of an introduction through the documentation.   01:37:55,960 --> 01:38:03,430 And I realize they don't have dumb cross site  scripting. So I that's why I had to use webgoat.   01:38:03,430 --> 01:38:08,740 They're the only ones I know who actually allow us  to run it. So as zoomed in right now, by the way,   01:38:08,740 --> 01:38:15,190 the credentials are guests for the username  and guest for the password. So essentially,   01:38:15,190 --> 01:38:20,140 I went through cross site scripting, and again,  they didn't have the DOM in here, all they were   01:38:20,140 --> 01:38:28,660 focusing on is stored and again, reflected. So I  found it to be in the eye x or Ajax or whatever   01:38:28,660 --> 01:38:34,360 you want to call it. And we have the the DOM  based cross site scripting, let me explain why   01:38:34,360 --> 01:38:41,260 it's in. This is based in Ajax security. This  is because Dom cross site scripting focuses on   01:38:41,260 --> 01:38:46,880 the client side. So any data or input that is  entered, whether it be a malicious code, etc,   01:38:46,880 --> 01:38:51,830 etc, is going to be processed by the client, not  the server. So any of the attacks will be based,   01:38:51,830 --> 01:38:58,190 of course, on the client. Now, let me explain  what I mean. If I am to run remember, JavaScript,   01:38:58,190 --> 01:39:05,570 server side, client side i x, for example.  So if I am to run, for example, a JavaScript   01:39:05,570 --> 01:39:10,940 code in this entry here, so script, and again, I  type in alert, just being the example and I say,   01:39:10,940 --> 01:39:16,610 Hello, let's keep that simple. And I close the  script here, you can see that we will probably   01:39:16,610 --> 01:39:21,440 not be left with anything will not get any result.  That's because it's being processed by the client,   01:39:21,440 --> 01:39:28,430 not by the server. So no, no result or no data  will be reflected back to us. If it was, you know,   01:39:28,430 --> 01:39:33,770 if it was reflected cross site, scripting it,  the server processes it, and then is reflected   01:39:33,770 --> 01:39:39,140 back to the client. So if I was to submit here,  you can see that nothing happens here. And that   01:39:39,140 --> 01:39:45,620 it is going to be taken as code. Now what if  we were to enter or use a language that that   01:39:45,620 --> 01:39:53,630 a client can understand? So let's say we want  to say, let's see, HTML, whatever to use HTML,   01:39:53,630 --> 01:40:00,530 so I can say in here, IMG, for example, that's a  very This is the way we learned it. So IMG See,   01:40:00,530 --> 01:40:05,870 and we don't have an image source. So we can leave  that like that. And then we can use the on error,   01:40:05,870 --> 01:40:12,590 in case we get an error of image which we will get  because the image has no source on error, we can   01:40:12,590 --> 01:40:21,620 say that is going to be, that is going to be equal  to alert. And then the alert we can input in here,   01:40:21,620 --> 01:40:28,820 we can say, Hello, whoops, hello world. And we  can close that up. And once we have closed it,   01:40:28,820 --> 01:40:34,940 you can see that we can, we can close that there.  And there you are. So it is great to be processed   01:40:34,940 --> 01:40:40,040 by the client, and you get the dialog box or the  alert with the message Hello world. So you can   01:40:40,040 --> 01:40:47,420 see that with Dom based cross site scripting, it  is all being processed all the input, whether it   01:40:47,420 --> 01:40:52,460 be malicious or not, is being processed by the  client. And Ei x is one of the largest languages   01:40:52,460 --> 01:40:57,260 that can be used. So you can also incorporate  a x if you wanted to test it out. Remember,   01:40:57,260 --> 01:41:02,390 it's all about experimentation and understanding,  I hope that you're you've got an understanding of   01:41:02,390 --> 01:41:07,070 what cross site scripting is, how it can be  used to manipulate data, whether it be on   01:41:07,070 --> 01:41:12,410 the client side on the database, and how you  can easily just transfer data with you know,   01:41:12,410 --> 01:41:17,000 bad security in place. Of course, this is  the these attacks will be a very uncommon   01:41:17,000 --> 01:41:20,960 now. But again, this was focused on more  on an explanation point of view. We're   01:41:25,260 --> 01:41:32,290 going to be looking at cross site request forgery,  or CSRF. Now, this is an extremely important topic   01:41:32,290 --> 01:41:37,660 and a big one that I cover it correctly. So for  the purpose of this video, I've set up a very   01:41:37,660 --> 01:41:43,870 unique environment that in at least in my opinion,  will demonstrate how to utilize or how to perform   01:41:43,870 --> 01:41:49,570 this attack. Alright, now I'm just going to give  you a brief overview of the environment that   01:41:49,570 --> 01:41:54,010 I have no, of course, you can see I have a few  files open here. Don't worry about them right now,   01:41:54,010 --> 01:41:59,260 just just remember that we'll be using them later  on. And I'll be using them really, really well to   01:41:59,260 --> 01:42:06,550 explain what's going on here. So you can see as my  target or as my vulnerable system I'm going to be   01:42:06,550 --> 01:42:12,160 using on my vulnerable web application, I should  say, I'm going to be using the OWASP juice shop   01:42:12,160 --> 01:42:19,150 now. Not actually no one actually recommended this  to me. But I remember that I performed this during   01:42:19,150 --> 01:42:25,990 a CTF challenge that I went to earlier, I think  late last year. I'm not too sure exactly when   01:42:25,990 --> 01:42:31,810 but the whole process was involved in exploiting  this web application. Alright, and in my opinion,   01:42:31,810 --> 01:42:38,470 this really outlined or really showed of how  to perform all of these various web application   01:42:38,470 --> 01:42:43,720 attacks. In this case, we're going to be  focusing on cross site request forgery. Alright,   01:42:43,720 --> 01:42:49,360 so I have the juice shop running it's, it's based  on a node.js. And it's running on my local host.   01:42:49,360 --> 01:42:53,170 Let me just show you that right now. There we  are. So I haven't logged in or done anything   01:42:53,170 --> 01:42:57,460 yet. And that's because I'm going to do that with  you. So I've set it up, it's running on my local   01:42:57,460 --> 01:43:05,560 host. Let's get started with this really, really  simple but sometimes complicated topic. Alright,   01:43:05,560 --> 01:43:12,340 so cross site request forgery CSRF. Now from  the name, you can already tell that it's split   01:43:12,340 --> 01:43:18,310 into two into two sections, you have your cross  site, and your request forgery. So from that,   01:43:18,310 --> 01:43:24,430 we can get a basic example of what's going on  here. We have cross site scripting, and we are   01:43:24,430 --> 01:43:30,610 going to be forging requests or we are going to be  manipulating requests. Hmm, interesting. So we are   01:43:30,610 --> 01:43:36,700 we are kind of understanding what's going on here.  Now the technical explanation for what CSRF is,   01:43:36,700 --> 01:43:43,730 is it is an attack that forces an end user to  executed unwanted actions on a web application   01:43:43,730 --> 01:43:50,000 in which they're currently authenticated. Alright,  so let me put that really, really simply, right,   01:43:50,000 --> 01:43:55,970 it's an attack that will force an end user to  execute unwanted actions on the web, on a web   01:43:55,970 --> 01:44:00,800 application, these actions can be anything, but in  this case, we're going to be looking at changing   01:44:00,800 --> 01:44:07,700 the password. And they have to be currently  authenticated to that web application, which means   01:44:07,700 --> 01:44:12,140 they have to be logged in to that web application  for this to work. Because if they're logged out,   01:44:12,140 --> 01:44:17,450 then you get the idea. It really doesn't help or  it doesn't work. Alright, so we use cross site   01:44:17,450 --> 01:44:23,360 scripting, in this case to perform the request  forgery, and to get either desired or undesired   01:44:23,360 --> 01:44:28,670 results. In our case, we're going to be looking  at how to to change the password of any user   01:44:28,670 --> 01:44:34,820 that's logged in to the to this web application.  And how will we How will we be doing that? Well,   01:44:34,820 --> 01:44:41,960 we are going to be using CSRF. But the first  thing you need to understand is how an HTML form   01:44:41,960 --> 01:44:48,260 works. Alright, and this is very important because  first of all, a client will request a page from a   01:44:48,260 --> 01:44:55,070 server. Alright, the server will then respond and  give the the client the HTML form. The client will   01:44:55,070 --> 01:45:02,390 then send back the form with the data back to the  server server will then authenticate and authorize   01:45:02,390 --> 01:45:08,990 the user and then will will perform the requested  action. And based on the request and the response,   01:45:08,990 --> 01:45:15,290 we are able to forge or to change the request  and get a desired response if you're looking at   01:45:15,290 --> 01:45:24,230 it from an attackers perspective. Alright, so,  the the way CRS CS CSRF works sorry about that   01:45:24,230 --> 01:45:29,690 is the attacker will manipulate the victim into  submitting the attackers form data to the victims   01:45:29,690 --> 01:45:36,770 web server, essentially, essentially performing  these these requests in the in our case, as I've   01:45:36,770 --> 01:45:42,500 mentioned, it will allow us to change the password  of any user on this web application, in this case,   01:45:42,500 --> 01:45:49,880 the OWASP juice shop web application. Alright,  so now you might be asking, Well, if I'm a bug   01:45:49,880 --> 01:45:54,830 bounty hunter, I'm practicing to become a bug  bounty hunter. How do I go about finding this   01:45:54,830 --> 01:45:58,760 vulnerability? Well, that's a very good question.  And that is the question you should be asking   01:45:58,760 --> 01:46:05,810 yourself when performing any penetration test.  Now, coming back to my environment, I'm running   01:46:05,810 --> 01:46:10,220 burp suite, the Community Edition, you you will  just need the Community Edition for this one,   01:46:10,220 --> 01:46:14,330 we're not performing any advanced techniques  here, because we're essentially just changing,   01:46:14,330 --> 01:46:21,080 we're just going to be changing the request to get  our desired responses. But once we move on to the   01:46:21,080 --> 01:46:27,350 advanced stuff, I'll then be using OS zap for  our attacks. Alright, so keeping things really,   01:46:27,350 --> 01:46:33,500 really simple, we, the way to look for these  vulnerabilities is to target the login pages,   01:46:33,500 --> 01:46:38,690 which we have right here, we then need to, we  can then create the account and log in. And   01:46:38,690 --> 01:46:44,630 then finally, we will be creating our own our  own script to perform the cross site scripting.   01:46:44,630 --> 01:46:50,480 And that will allow us to submit the data or  if we send the URL to another user of this   01:46:50,480 --> 01:46:55,400 web application who is currently authenticated,  it will allow the it will allow us to make them   01:46:55,400 --> 01:47:01,640 change their password, and then we can log into  their account. Alright, so this vulnerability   01:47:01,640 --> 01:47:08,570 is very common on sites with accounts, you know,  sites that have emails of passwords. And as you   01:47:08,570 --> 01:47:12,560 probably would have guessed, there are a lot  of sites that utilize this functionality. But   01:47:12,560 --> 01:47:16,610 remember, most of the sites out there will be  protected from this vulnerability. So it's up   01:47:16,610 --> 01:47:21,950 to you to find these vulnerabilities. Alright, so  as I've mentioned, we will be using OWASP juice   01:47:21,950 --> 01:47:27,500 shop as our target. And the reason is, is because  it will explain what I want to explain really,   01:47:27,500 --> 01:47:33,140 really well. Alright, and we'll be using the burp  suite Community Edition. Now, as you can see,   01:47:33,140 --> 01:47:38,120 I'm currently running the burp proxy, I'm not  intercepting any traffic, if I open up burp suite,   01:47:38,120 --> 01:47:42,680 I'm not intercepting any traffic. If I go to  the proxy, and intercept, I'm not intercepting   01:47:42,680 --> 01:47:48,650 anything. So it's currently just I'm just going  through the burp proxy and all the traffic and   01:47:48,650 --> 01:47:54,290 data is being logged through the proxy. So when  it comes down to this little data that I've   01:47:54,290 --> 01:47:58,010 saved here, I've already created an account.  The reason I've done that is to save time,   01:47:58,010 --> 01:48:04,130 because I don't want to explain everything about  it. So I've created, I've created a user with the   01:48:04,130 --> 01:48:10,730 email of test@test.com and a password of password.  So really simple. Again, there's nothing really   01:48:10,730 --> 01:48:15,590 complicated here. And if you want if you're  wondering what exactly does this mean? Well,   01:48:15,590 --> 01:48:21,650 this is a security question with the answer.  So the question was, what's my favorite pet,   01:48:21,650 --> 01:48:26,660 and I wrote in dog. So hopefully, that doesn't  scare you into thinking that I've gone completely   01:48:26,660 --> 01:48:32,300 crazy. And then in here we have the scripts that  we'll be using, or will be utilizing to perform   01:48:32,300 --> 01:48:38,150 the CSRF are on the site, I'll get to this in  a second. We don't need that right now. So if   01:48:38,150 --> 01:48:42,980 I want to log in, I know that the email is  test@test.com. And the password is password.   01:48:42,980 --> 01:48:49,220 Alright, so let me do that right now we need  to authenticate. So let me log in, like so. And   01:48:49,220 --> 01:48:55,700 I'm going to hit test@test.com. Alright, and I'm  going to write the password, which is password,   01:48:55,700 --> 01:48:59,990 and I'm going to log in. Alright, and I'm don't  want to save the password. And there you also   01:48:59,990 --> 01:49:05,810 have logged in now. Now as I said, this is very  this vulnerability works really, really well when   01:49:05,810 --> 01:49:09,980 you're talking about changing passwords, because  as you can probably guess, an attacker would would   01:49:09,980 --> 01:49:15,170 be looking to exploit this functionality because  imagine, if we were able to send a request a get   01:49:15,170 --> 01:49:21,110 request to our target with the URL encoded URL.  Of course, we can also use link shorteners,   01:49:21,110 --> 01:49:26,270 if we wanted to, to do that. And essentially,  if they authenticated, it will allow us to make   01:49:26,270 --> 01:49:30,920 them change their password simply by clicking  on the link, changing their password to whatever   01:49:30,920 --> 01:49:37,070 we specify. Alright, so how do we do this? Well,  the first thing we need to do is we need to look   01:49:37,070 --> 01:49:43,520 at how we get requests are being sent. And we can  do that using burp. So we're just going to change   01:49:43,520 --> 01:49:47,900 our password. So current password is password.  And what I'm going to do is I'm going to change   01:49:47,900 --> 01:49:59,150 my password into password. Oops, sorry, pass word  123. And I'm going to repeat it so fast word 123.   01:49:59,150 --> 01:50:05,180 And I'm going to hit Alright, so the password was  successfully changed. Okay, now let's look at how   01:50:05,180 --> 01:50:11,180 this was processed in burp, or how the request was  sent in burp. So I'm going to go into burp proxy   01:50:11,180 --> 01:50:15,860 and HTTP history. And I'm going to go all the way  to the bottom. And as you can see, we have the get   01:50:15,860 --> 01:50:21,670 request right over here. Okay, so the get request  is very interesting. You can see we have the get   01:50:21,670 --> 01:50:28,000 request, and it's targeting the the following URL.  And these are the parameters. So change password,   01:50:28,000 --> 01:50:34,090 the current password is password, new password  123. And we've repeated it. Alright. So now let   01:50:34,090 --> 01:50:39,220 us perform the forgery here. So I'm going  to send this in to the repeater. Alright,   01:50:39,220 --> 01:50:44,380 so I'm going to click on repeater. And in here, we  can manipulate the request and see what responses   01:50:44,380 --> 01:50:50,260 we get. All right, in case you, you did not know  about that. But again, let's start off really,   01:50:50,260 --> 01:50:55,600 really simply. So we are going to be working  with the raw request. We don't want to work   01:50:55,600 --> 01:51:00,100 with individual parameters, although you could  change it, but we are going to be manipulating   01:51:00,100 --> 01:51:05,410 the request entirely so that it performs what we  want to do. Alright, so what we can do first is   01:51:05,410 --> 01:51:13,420 we can test so let's change what if we were to  change the current password to something like,   01:51:13,420 --> 01:51:18,910 let's see test, let's change it to test and  then we hit go, you can see that the response   01:51:18,910 --> 01:51:24,730 we get is a is a 401 error, which means we are an  authorized to make that and it will give you the   01:51:24,730 --> 01:51:29,290 message right here. The current password is not  correct. All right, that's good. That is good from   01:51:29,290 --> 01:51:34,180 a web application perspective, which means that  this web application is performing validation.   01:51:34,180 --> 01:51:39,730 And it's not going to allow us to know to just go  in and start manipulating any requests and making   01:51:39,730 --> 01:51:45,820 changes. So from a security perspective, the web  application is doing really, really well. Alright,   01:51:45,820 --> 01:51:52,930 what if I was to change the new password? Let  me change this back to password to the current   01:51:52,930 --> 01:51:59,680 password, which is what we said and change the  new password to password pass 123. All right,   01:51:59,680 --> 01:52:07,720 and I hit go. Again, we get another error. Again,  the 401 unauthorized error telling us that the new   01:52:07,720 --> 01:52:13,330 and repeated password do not match. So yes, the  current password is correct. And the only thing   01:52:13,330 --> 01:52:17,650 that we're getting an error is the new password  and the repeated password are not correct. So   01:52:17,650 --> 01:52:24,610 interesting. What if we want to change the  password into password 123. And we can repeat that   01:52:24,610 --> 01:52:33,430 again. So we want to confirm this. So password  123 actually hold on. So I'm going to say password   01:52:33,430 --> 01:52:42,340 123. And now let's see what this tells us. This  should verify it. But let's see if this works.   01:52:42,340 --> 01:52:47,650 So you can see yes, that does work. And we know  that this works, because that's what we did that   01:52:47,650 --> 01:52:53,860 was the original request. But what if we do not  know the current password of the user? Remember,   01:52:53,860 --> 01:52:59,200 we're going to be targeting other users of this  web application. So what if we get rid of and this   01:52:59,200 --> 01:53:05,170 is very, very, this is the way penetration testers  go about it. What if we get rid of stuff? So what   01:53:05,170 --> 01:53:11,170 if we get rid of the current password? Alright,  and now essentially, they get his targeting Change   01:53:11,170 --> 01:53:17,050 Password with the question mark here, essentially  requesting and we're only entering the fields or   01:53:17,050 --> 01:53:22,480 parameters new. And repeat what if we do that  and we change them to password 123 I mean,   01:53:22,480 --> 01:53:30,220 pass 123 and pass 123. Let go. You can see yes,  it does work, we get the 200, the 200 response,   01:53:30,220 --> 01:53:35,350 which means everything was processed correctly.  And we were able to get a password that looks   01:53:35,350 --> 01:53:41,980 to be hash, that looks to be hashed. And we got  the email that we used. So yes, we do know that   01:53:41,980 --> 01:53:50,500 it is working. Alright, so we know that we know  that this worked. But we need to confirm that   01:53:50,500 --> 01:53:55,780 this has worked. So we can do this by going back  into our web application. And we can log out and   01:53:55,780 --> 01:53:59,920 we can try and log in again. So log in with our  new password. So we're gonna say test@test.com,   01:54:01,360 --> 01:54:07,270 and our new password was passed 123. Remember, we  changed it earlier. But again, I was demonstrating   01:54:07,270 --> 01:54:12,820 that we if we are to send this to our target, we  need to specify to make sure that it will work   01:54:12,820 --> 01:54:18,730 without any pre required information like their  current password. So I've manipulated the request   01:54:18,730 --> 01:54:25,480 there. So let's hit log in. And voila, you can see  it does work. Excellent. All right. So this is a   01:54:25,480 --> 01:54:32,080 fantastic example of so also CSRF can be utilized  or how it can be how you can find vulnerabilities   01:54:32,080 --> 01:54:39,130 for it. Alright, so this can allow us to change  or update anyone's password. anyone's accounts   01:54:39,130 --> 01:54:45,580 password that are currently logged into this web  application. Alright, so now what we what we need   01:54:45,580 --> 01:54:51,480 to do well, we can we can log in. As we've already  seen, we can log in and once you've logged in,   01:54:51,480 --> 01:54:58,080 we can we can test to see if cross site scripting  does work. And then of course utilizing it   01:54:58,080 --> 01:55:03,240 throughout the web application is very important.  So We can run a simple cross site script attack to   01:55:03,240 --> 01:55:08,820 see if it will work on the search bar right here.  So I'm going to type in script. And a simple one.   01:55:08,820 --> 01:55:16,320 So alert, just to test whether it works. And  in the alert, we can say, Hello, just something   01:55:16,320 --> 01:55:24,480 stupid hello world, you know, that's an I can't  even type man Come on world. And we've typed in   01:55:24,480 --> 01:55:29,520 the alert. And we can finally close the script  here. Script like so. And let's hit search.   01:55:29,521 --> 01:55:34,801 And voila, we can see that indeed, cross site  scripting work works, which means we can insert,   01:55:34,800 --> 01:55:42,570 we can insert our GET request inside a script and  use a cross site scripting to perform the CSRF.   01:55:42,570 --> 01:55:48,090 And now you can see them conjoining together,  cross site scripting with request forgery. Okay,   01:55:48,090 --> 01:55:52,620 so we now need to create our custom script  that will allow us to utilize the attack.   01:55:52,620 --> 01:55:57,810 And we will be using XML and HTTP. Now, you  might have seen this script right over here,   01:55:57,811 --> 01:56:02,611 let me just minimize this and open up leafpad, you  might have seen this script that I created. Now   01:56:02,610 --> 01:56:09,120 you can find many of these CSRS scripts are online  that utilize different languages. In my case,   01:56:09,120 --> 01:56:15,060 I find the one that works the best is the  is the one that works with x XML and HTTP   01:56:15,061 --> 01:56:22,381 and contains the get request in here. Okay, now,  you can see that the get request requires the URL   01:56:22,380 --> 01:56:28,140 in which we submit the the parameters without the  current password. So we need to go back into burp.   01:56:28,140 --> 01:56:38,010 And it needs to go back into proxy HTTP. Sorry  about that HTTP, we look to change the password.   01:56:38,010 --> 01:56:45,120 So if we go back into, sorry, the repeater. And  if we look at this now, we can see that the URL   01:56:45,120 --> 01:56:52,140 is right over here. So that's the get request. So  if we copy this localhost, obviously, and we are   01:56:52,140 --> 01:56:57,840 not using any current password field, so if we  can do that, really, really simply, you can see   01:56:57,840 --> 01:57:03,929 how this can be utilized really, really well. So  what we need to do now is understand how the URL   01:57:03,930 --> 01:57:08,130 will be format. And of course, the web application  is going to encode it, and I'll get to that in a   01:57:08,130 --> 01:57:13,290 second. So we need to copy this URL right here.  So I'm just going to copy the URL. And we can   01:57:13,290 --> 01:57:19,530 edit our our script. So HTTPS, and we paste it in  inside the URL, you can copy this script if you   01:57:19,530 --> 01:57:26,880 want to. Let's take a look at whether this script  is formatted correctly. So get HTTP new, that's   01:57:26,880 --> 01:57:33,480 not the way we want it. Let me get rid of the  pre pre determined HTTP there. So HTTP localhost,   01:57:33,480 --> 01:57:40,680 it's hosted on my localhost with the Port 3000  node, an OJS standard. And the we want to change   01:57:40,680 --> 01:57:45,870 the password, the new password is past 123 and  repeat his past 123, you can change that to   01:57:45,870 --> 01:57:52,080 whatever you want, if you want to, you know, play  around with the script. But in my case, I don't   01:57:52,080 --> 01:57:58,440 want to do any of that. So this is the script. So  what we can do is we can copy this now. And we can   01:57:58,440 --> 01:58:06,330 run this in the search bar. And that should, in  theory, and in practice, give us our first CSRF   01:58:06,330 --> 01:58:11,070 attack on the site. So I'm going to paste this in  here. And let's see whether it does this. So I'm   01:58:11,070 --> 01:58:17,550 gonna hit search. And you can see you successfully  solved the challenge error handling provoked an   01:58:17,550 --> 01:58:23,250 error that is not very gracefully handle. Again,  this is a fantastic web application vulnerable web   01:58:23,250 --> 01:58:28,620 application that is awesome for practicing your  your web application penetration testing skills.   01:58:28,620 --> 01:58:34,980 Now, I talked about the URL that you should send  to your target. And that is the URL that will   01:58:34,980 --> 01:58:40,800 essentially make them change their password or  without them knowing, given that they are logged   01:58:40,800 --> 01:58:46,320 in to the web application or they have an account,  it will not work if they have not logged in.   01:58:46,320 --> 01:58:50,640 Alright, so that's very important to understand.  And many people just you know, forget about this.   01:58:50,640 --> 01:58:59,700 Now. Again, if you could have done this, you I  can log out again, and I can log in try and log   01:58:59,700 --> 01:59:05,100 in now. And I can type in for example test I just  want to show you something very interesting here   01:59:05,100 --> 01:59:10,740 test. And I can change the password, we already  changed it to password 123. Now before I do that,   01:59:10,740 --> 01:59:14,990 I can just inspect the element here. And I'm  going to hit login. And I just wanted you to   01:59:14,990 --> 01:59:21,290 check something out. All right now, let me just  expand this a little bit here. If we were to   01:59:21,290 --> 01:59:25,940 look at the network, this will essentially shows  all the GET requests. So if I was to hit login,   01:59:25,940 --> 01:59:31,640 you can see that if we are to look at the  get request here the login GET request,   01:59:31,640 --> 01:59:38,570 you can go ahead and look at at the exact format  in which it was sent. You can look at the cookie   01:59:38,570 --> 01:59:44,750 the it should give you the the authentication  token not to show it should give you the authentic   01:59:44,750 --> 01:59:49,520 the authentication token. But that's something for  another day. Don't want to complicate you guys,   01:59:49,520 --> 01:59:53,960 you can look at the cookie if you want to. And  you have all the responses right here. So there we   01:59:53,960 --> 01:59:59,510 are. There's the authentication token and you can  see something very interesting in regards to the   01:59:59,510 --> 02:00:11,450 token. Alright, so let me show you this right now.  Alright, so as I was saying, you can see. Alright,   02:00:11,450 --> 02:00:16,550 so as I was saying, you can see that if we look  at the parameters, the password will be displayed   02:00:16,550 --> 02:00:21,530 there, and it will be updated to the one that  we selected or specified in the script. Alright,   02:00:21,530 --> 02:00:26,210 so remember, if you want to customize the cross  site scripting attack, you can do it through your   02:00:26,210 --> 02:00:31,790 script. And where is lifted here. So there we are.  So you can change the password. The as you see,   02:00:31,790 --> 02:00:36,920 we just got rid of the current password parameter,  which is a vulnerability on the site, but you can   02:00:36,920 --> 02:00:41,450 change the password to whatever you want. And  now you might be asking, as I've mentioned, what   02:00:41,450 --> 02:00:46,190 link do you send to the target and that is very,  very simple. If I was to run the script again,   02:00:46,190 --> 02:00:55,160 and I change the password to maybe something else  like password 124, or 345, sorry, 345. Let me just   02:00:55,160 --> 02:01:02,150 add that to the password. And I run the script on  an authenticated user, which is me. So let me copy   02:01:02,150 --> 02:01:07,040 that. And it should change my account password.  And you can see once I log in, log out and try   02:01:07,040 --> 02:01:11,990 logging in, it will have changed it successfully.  So let me just run it in here. So I'm going to   02:01:11,990 --> 02:01:16,490 paste the new one in here. And I'm going to search  and there we are. So now it's changed my password.   02:01:16,490 --> 02:01:25,761 And if I log out, and I try and log in with with  the old password, which is password 123, you can   02:01:25,760 --> 02:01:31,220 see whoops, sorry, I think I typed that in wrongly  123 like so, fight login, there we are, you can   02:01:31,220 --> 02:01:36,830 see that we entered the new password, and it did  work fantastic. So we were successfully able to   02:01:36,830 --> 02:01:42,680 execute the script. And again, when if I just run  the script, again, this is the URL that you will   02:01:42,680 --> 02:01:48,860 send to your target. Alright, so if I just copy  it, and I inspect it in my leafpad here, I really   02:01:48,860 --> 02:01:53,630 love leafpad. I don't know that you guys love it,  too. If I just inspect it, you can see that this   02:01:53,630 --> 02:01:59,270 indeed is a URL. And if the web application was  being hosted on a server, outside my local area   02:01:59,270 --> 02:02:04,850 network, it would give you the website name, the  port, if it is port specific, and the URL here,   02:02:04,850 --> 02:02:10,070 which as you can see is encoded. So what I  would recommend is that you copy this link here,   02:02:10,070 --> 02:02:15,980 and you use a link shortener like bit fly or any  of the other Google shorteners, and you send that   02:02:15,980 --> 02:02:20,780 to your target. And once they click on the link,  and if they already logged in to this specific   02:02:20,780 --> 02:02:26,120 web application, it will update their password.  And you can essentially, you have the password   02:02:26,120 --> 02:02:30,800 now because you've updated it. And you're all you  need is the email, which I'm pretty sure you must   02:02:30,800 --> 02:02:35,630 be knowing if you're performing this attack. Or  you could just be gathering passwords of users,   02:02:35,630 --> 02:02:41,990 all of which you can, you can send this link to  and are authenticated with the web application.   02:02:46,020 --> 02:02:50,720 We're going to be taking a look at session  management. And in this video, particularly,   02:02:50,720 --> 02:02:57,050 we'll be looking at cookie collection. Alright, so  as you know, you probably would have known what a   02:02:57,050 --> 02:03:03,020 cookie is. Now there are three types of cookies  that we really need to be focusing on in this   02:03:03,021 --> 02:03:10,551 section. And we will be focusing on in general.  The first one is the session cookies, which I'll   02:03:10,550 --> 02:03:15,830 discuss in a while we then have the permanent  cookies and the third party cookies. So third   02:03:15,831 --> 02:03:22,251 party cookies are really all to do with third  party API's that may be used. So for example,   02:03:22,250 --> 02:03:30,500 if you're on a website that utilizes flashplayer,  you may find some cookies, that that are in relate   02:03:30,500 --> 02:03:36,080 that are related to the Flash Player. So it's very  important that you understand how to collect these   02:03:36,081 --> 02:03:41,691 cookies. And as well, we'll be looking at reverse  engineering them, but not really tampering with   02:03:41,690 --> 02:03:46,940 them. Because I first want to explain to you guys  how everything is done. And then we can move on   02:03:46,940 --> 02:03:52,970 into into finally tampering with them and seeing  if we can change them to give us access to give us   02:03:52,970 --> 02:03:57,410 different type of of access. And where this comes  into play is when you're talking about session   02:03:57,411 --> 02:04:04,491 cookies. And in this session cookies, we have the  the auth, the authentication token, and the D and   02:04:04,490 --> 02:04:10,490 the unauthenticated token. So all to do with your  access on a web application or on a website. Okay,   02:04:10,490 --> 02:04:18,410 so essentially, all the cookies that you can  probably ever get when you visit or you get   02:04:18,411 --> 02:04:23,541 when you visit a website are they are generated  when you visit the website. And furthermore,   02:04:23,541 --> 02:04:28,911 the cookies change when you authenticate with  the website and you or you log out right so when   02:04:28,911 --> 02:04:33,591 you log in, you get a different set of cookies.  And when you log out, you get a different set of   02:04:33,590 --> 02:04:38,150 cookies. This is where the whole idea of session  management comes into play and how cookies are   02:04:38,150 --> 02:04:44,540 utilized for this system. So I'm currently running  OSU shop. So I showed you guys how to set that up.   02:04:44,541 --> 02:04:50,781 Let me know if you found it helpful. So I have  it set up and open as it opened up in my browser.   02:04:50,780 --> 02:04:55,160 Now what I'm going to be covering is how to  collect these cookies and understanding the   02:04:55,161 --> 02:05:00,670 difference between an unauthenticated cookie  and the authenticated cookie. So Usually,   02:05:01,480 --> 02:05:05,800 what I have, or what I use to my advantage  is if you're using Google Chrome or Firefox,   02:05:05,800 --> 02:05:12,790 you you can get a cookie collection or a cookie  editor add on that allows you to edit the cookies.   02:05:12,790 --> 02:05:16,750 But as I said, we're not going to be looking at  editing them right now, because we don't know   02:05:16,750 --> 02:05:21,130 what to change in them, this video is going to  be focused on collecting them and then analyzing   02:05:21,130 --> 02:05:27,250 them to see what information they have within  them. All right, so I've currently I reset this,   02:05:27,250 --> 02:05:33,340 the OWASP juice shop. And the reason I did that  is just to start off fresh. And I said, we're   02:05:33,340 --> 02:05:38,140 going to be using this for performing all of the  examples that we'll be showing you so that we can   02:05:38,140 --> 02:05:43,750 learn all the concepts. So I'm just gonna, before  we log in, I just want to show you the first set   02:05:43,750 --> 02:05:48,550 of cookies that we'll get once we were when we  visited the site. Don't worry about the other   02:05:48,550 --> 02:05:54,190 links, we'll get to them in a second. Alright, so  I'm using the cookie editor right here, you can   02:05:54,190 --> 02:06:00,610 find this same one for Firefox, that's what I'm  using. They are also other ones for Google Chrome,   02:06:00,610 --> 02:06:06,550 if you want to do that. And in addition, we're  not going to be using any proxy, like burp suite   02:06:06,550 --> 02:06:12,130 or the OWASP zap right now, because we're just  focused on using the browser tools. And of course,   02:06:12,130 --> 02:06:18,520 these add ons here. So what I can do now is if I  just go right click, and I hit Inspect Element, we   02:06:18,520 --> 02:06:25,210 have the, the developer tools right here. And if  we are to go into Once you've installed the cookie   02:06:25,210 --> 02:06:30,190 editor, you can directly go into storage. And in  storage, you will, you will begin you will get the   02:06:30,190 --> 02:06:35,680 cookies here and other values right here. But if  you it'll be better for you to understand what's   02:06:35,680 --> 02:06:40,780 going on if you go into the cookie editor. Now  in the cookie editor, you can see that we have   02:06:40,780 --> 02:06:46,780 two cookies that we've gathered here, and we have  the cookie consent status. And the the i o which   02:06:46,780 --> 02:06:52,810 I'm not sure really what it does input output,  output, I'm probably guessing. So when it comes   02:06:52,810 --> 02:07:00,010 down to the QB, consent status, we probably get an  idea of what of what this is. What this is asking   02:07:00,010 --> 02:07:05,800 us. So when I when I opened up the website, it  gave me a prompt asking me like all websites will   02:07:05,800 --> 02:07:12,550 ask you in 2018 to do is to accept their privacy  policy, in their privacy policies in regards to   02:07:12,550 --> 02:07:19,080 their use of personal data and cookies. And the  reason is, is because cookies can can log or have   02:07:19,080 --> 02:07:23,400 a lot of information about you. They contain a  lot of information about what your what you've   02:07:23,400 --> 02:07:28,710 been doing. So this is why I've created this right  now before we move along, it's very important to   02:07:28,710 --> 02:07:36,150 understand their role in session management. Okay,  so we need to look at the authentic authentication   02:07:36,150 --> 02:07:41,250 tokens because that's where most of the magic  happens, as you would expect. So let me just close   02:07:41,250 --> 02:07:46,530 this up. And let me just log in. So let me just  use the password there, the email that I used,   02:07:46,530 --> 02:07:53,040 and the password, like so. And let me just log in.  I don't want to save the password. So I've logged   02:07:53,040 --> 02:07:58,950 in now. And if I inspect the element, again,  you can see in the cookie editor, let that load,   02:07:58,950 --> 02:08:03,270 it usually takes a while to load. There we are,  we have the token. Now the token, this token is   02:08:03,270 --> 02:08:09,480 an authentication token. Alright, so when it comes  down, when it comes down to reverse engineering a   02:08:09,480 --> 02:08:14,880 token, for example, let's use this as our example.  We essentially testing it for vulnerabilities   02:08:14,880 --> 02:08:18,990 similar to a penetration test. Now you might be  a little bit confused. You might be asking, Well,   02:08:18,990 --> 02:08:24,510 what what what do you mean by this? How can we  perform a penetration test on this token? Well,   02:08:24,510 --> 02:08:31,470 this token is encoded. Alright. So this is if  we just copy this. I don't know whether you know   02:08:31,470 --> 02:08:37,560 about this, but this is a JSON web token. Alright.  So it is it is a JSON web token. And you can use   02:08:37,560 --> 02:08:42,510 the JSON Web Token decoder, I'll be posting this  link in the description. This is the one that   02:08:42,510 --> 02:08:50,040 I prefer to use. If I am to paste this in here.  And you can see once I've pasted it in here, it's   02:08:50,040 --> 02:08:54,780 going to give me all information. And I'm going  to help you understand what we've just done. So   02:08:54,780 --> 02:08:59,130 essentially, what we have done is we have reverse  engineered what this web token is all about. So   02:08:59,130 --> 02:09:05,010 now we need to look at what what it contains and  what type of authorities or privileges it's giving   02:09:05,010 --> 02:09:11,070 to us. Because remember, this is an authentication  token. And it is unique to us because this will,   02:09:11,070 --> 02:09:15,720 this will determine whether or not we're logged  into a site or we're logged out and what access   02:09:15,720 --> 02:09:20,460 we have on the website. I'm pretty sure you  already know that. All right. So when it comes to   02:09:20,460 --> 02:09:25,980 the header, now, this is very important. I've seen  many web people claiming to be bug bounty hunters   02:09:25,980 --> 02:09:31,170 and they don't understand how the the web token is  even structured. What is the header the header is   02:09:31,170 --> 02:09:36,540 separated from the payload. This is the header  right here, up until the first full stop that   02:09:36,540 --> 02:09:41,010 is the header it's very important to understand  that because they are separated from each other.   02:09:41,010 --> 02:09:45,900 In fact, the JSON web token is sorted into three  parts right here you have the you have the header,   02:09:45,900 --> 02:09:51,780 you then have the payload until here. And then  finally you have the signature which is right,   02:09:51,780 --> 02:09:57,480 right at the bottom here which is also separated  from the rest. Okay, so when it comes down to the   02:09:57,480 --> 02:10:02,790 header, alright, the header is going to give  you the of the of the token. In this case,   02:10:02,790 --> 02:10:07,830 we know it's a JSON web token, we then have the  algorithm, which is the hashing algorithm used,   02:10:07,830 --> 02:10:14,130 which is the RS 256. And then the payload  now in the payload, this is where things get   02:10:14,130 --> 02:10:19,320 really interesting as you would have expected, you  have the status, the status code here, the data,   02:10:19,320 --> 02:10:28,170 if any data was passed the ID, we can always use  the ID. Two, we can always edit the ID to see what   02:10:28,170 --> 02:10:33,060 else it can give us in terms of authentication,  because different types of identification or   02:10:33,060 --> 02:10:37,680 identification tokens give us different types  of access. So, as essentially this is what I was   02:10:37,680 --> 02:10:43,800 talking about, this is where you will scrutinize  the the the authentication token, and try and and   02:10:43,800 --> 02:10:49,290 tamper with it to to see what different results  you can you can get. So remember, we can edit this   02:10:49,290 --> 02:10:54,660 token, right, and we can edit anything about it.  And then we can finally copy it. And we can use   02:10:54,660 --> 02:11:01,380 that in the OSB shop and paste it right here and  re authenticate with that new token and see what   02:11:01,380 --> 02:11:05,100 results we can get. Now, of course, we're not  going to do that right now, because I wanted to   02:11:05,100 --> 02:11:10,800 introduce you as to what information you're going  to find and what exactly is going on here. Okay,   02:11:10,800 --> 02:11:17,610 so one step at a time. So you can see that  something interesting pops up here, something   02:11:17,610 --> 02:11:23,190 extremely interesting, we have the email which  for some reason, in this token, we can see that   02:11:23,190 --> 02:11:31,320 it's not very well designed because the email is  in plain text, which means which means if In any   02:11:31,320 --> 02:11:38,730 case, or in any scenario, someone is able to get  this token in which I authenticated within a site,   02:11:38,730 --> 02:11:44,520 they will have access to my email and my password.  But you must be saying, Well, I didn't see you   02:11:44,520 --> 02:11:50,040 type out all of these random passwords here. Well,  I can easily guess that this is an MD five hashed   02:11:50,040 --> 02:11:55,650 password, which means I can depending on the  on the strength of the password, I can decrypt   02:11:55,650 --> 02:12:00,630 online in a second using any of the decryption  tools. So if I was to just copy this right now,   02:12:00,630 --> 02:12:05,880 and I wanted to know the password, let's say this  wasn't even mine, this authentication token wasn't   02:12:05,880 --> 02:12:10,620 even mine, and I found the the email and password,  all I needed to do was unmatched the password,   02:12:10,620 --> 02:12:16,050 I can go to Mt five online.org, which is what I  use a lot. And I paste that hash right in here.   02:12:16,050 --> 02:12:20,970 And I hit decrypt. And you can see, well, first  of all, it's gonna prompt me to enter capture   02:12:20,970 --> 02:12:26,610 your storefront. This is this is getting really  annoying. Now, for some reason, it always does   02:12:26,610 --> 02:12:31,440 that, as you can see, it's gonna, it's gonna find  the action. Of course, this is this is dependent   02:12:31,440 --> 02:12:36,810 on the difficulty of the hash and whether or not  it can find it online. Okay, so you can see that   02:12:36,810 --> 02:12:42,390 it will display the hash and the password in plain  text, which in this case was passed 123. Now,   02:12:42,390 --> 02:12:46,530 of course, you can experiment with this.  And you can also experiment if, for example,   02:12:46,530 --> 02:12:53,580 the authentication token that you found was using  a different encryption, or a hashing algorithm for   02:12:53,580 --> 02:12:57,900 the password, the first thing you need to do is  identify what it's using, and then you go about   02:12:57,900 --> 02:13:02,820 decrypting it. Now, I'm not going to be talking  about the other parts here, because that's a bit   02:13:02,820 --> 02:13:09,420 that's a bit advanced. As you can see, by default,  the signature, the token signature failed,   02:13:09,420 --> 02:13:14,160 which means we can tamper with this token, and we  can make changes to it. And we can authenticate   02:13:14,160 --> 02:13:19,980 with it because it said, The OWASP juice shop is  is designed to be vulnerable. And this is where   02:13:19,980 --> 02:13:25,350 you perform all of these tests. Okay, so when  it comes down to the payload, the most important   02:13:25,350 --> 02:13:29,520 things are to look for the status, the ID and  obviously, if you can get any other information   02:13:29,520 --> 02:13:34,980 in the data section, or in terms of the email and  the password, that's also very important. Now,   02:13:34,980 --> 02:13:41,700 of course, it's not very easy to get a hold of  someone's of someone's token, but you can do   02:13:41,700 --> 02:13:47,550 it but and then you are performing the penetration  test on the token, because if someone was to write   02:13:47,550 --> 02:13:52,350 in the comment section of this video, what it was  to grab the the authentication token that belongs   02:13:52,350 --> 02:13:58,031 to Facebook lets you have access to someone's  computer for a few seconds. And as to get the   02:13:58,030 --> 02:14:03,430 authentication token, what would I be able to do?  Well, first of all, you have to test the security   02:14:03,430 --> 02:14:07,870 of the token. And I can guarantee you that their  tokens are going to be very well secured and   02:14:07,870 --> 02:14:12,940 performing the penetration or the penetration test  on them will be a different ballgame. So we'll be   02:14:12,940 --> 02:14:21,160 looking at changing them or or tempering them to  give us different types of access. We're going to   02:14:21,160 --> 02:14:28,270 be talking about HTTP attribute attributes and  cookie security. I am currently running OSU shop   02:14:28,270 --> 02:14:34,510 and what I did is I started a fresh new instance.  So I unzipped a new OSU shop. That's because I   02:14:34,510 --> 02:14:38,440 wanted to start afresh Now, of course, in the  previous video, we looked at cookie analysis   02:14:38,440 --> 02:14:44,020 and tokens. But now we're going to look at how  at the security aspect of how these cookies are   02:14:44,020 --> 02:14:51,430 secured and how you know how cookies are stolen  and how these can be exploited with with with   02:14:51,430 --> 02:14:57,250 other exploits or functionality like cross site  scripting. Now you will get to what I'm saying   02:14:57,250 --> 02:15:04,510 in a few seconds. So I have was used Stop running.  And I've created the same user and password as I   02:15:04,510 --> 02:15:11,020 did last time. So it's a test@test.com, that being  the email and the password is password 123. Just   02:15:11,020 --> 02:15:14,920 so you know. And I'll do that right now I'm just  going to log in, as you can see, test@test.com   02:15:15,700 --> 02:15:21,940 and the password is password 123. So let me just  log in. And there you are. So I've logged in and   02:15:21,940 --> 02:15:27,370 haven't solved any challenges. So when we talk  about cookie security, what do I mean? Well,   02:15:27,370 --> 02:15:32,260 this can be done or can be inspected really  easily. Now, of course, for this, you're not going   02:15:32,260 --> 02:15:37,510 to need any of the browser extensions or add ons,  because we'll just simply just be inspecting the   02:15:37,510 --> 02:15:43,330 element here. So if we open inspect element and go  into storage, and we go into cookies, and select   02:15:43,330 --> 02:15:49,750 the site, which is on localhost, you can see that  if I was to click on, for example, the token,   02:15:49,750 --> 02:15:58,030 and we just look at the data, you know, that we  can see within the token, if we go to the HTTP   02:15:58,030 --> 02:16:04,390 only section here, you can see that that is set to  false. Now, what does that mean? Well, that means   02:16:04,390 --> 02:16:12,400 that we can potentially exploit this cookie and it  storage location in the sense that it is it is, it   02:16:12,400 --> 02:16:17,770 is not secured. Now, I'll get to why and how this  is happening in the in a few seconds. Alright,   02:16:17,770 --> 02:16:24,910 so if the value is set to false, it means that the  cookie can be accessed and written to now how can   02:16:24,910 --> 02:16:30,190 one use this, you know, for potential attacks,  or Cookie, cookie stealing, as we know it. Now,   02:16:30,190 --> 02:16:36,399 if you are an advanced web application penetration  test, and you know about cross site scripting, you   02:16:36,399 --> 02:16:42,460 know, that usually attackers will use cross site  scripting, to steal cookies, by sending you links,   02:16:42,460 --> 02:16:49,270 that then, you know, by sending you links to pages  on the site, that you're already authenticated to,   02:16:49,270 --> 02:16:55,780 that have the the the malicious JavaScript  code that will then send your cookie,   02:16:55,779 --> 02:17:01,540 your authentication cookie with your token,  etc, etc, to their attack server. And from that,   02:17:01,540 --> 02:17:06,970 they can then use that to authenticate into your  account, it's not common, because mostly, the,   02:17:06,970 --> 02:17:12,280 the cookies are usually secured. Now, you will  run into sites that have this and this is a very,   02:17:12,279 --> 02:17:17,739 very big vulnerability in terms of severity. So if  you're a bug bounty hunter, this is in the medium   02:17:17,739 --> 02:17:24,519 to low category, so not really a big exploit, but  still a very, very big problem that many, many,   02:17:24,520 --> 02:17:29,380 you know, usually, I would like to say rookie  developers Miss, especially when dealing with   02:17:29,380 --> 02:17:34,810 huge frameworks like node etc. I'm not going to  get too deep into that. So you can see that the   02:17:34,810 --> 02:17:40,570 HTTP only is set to false. Now, what does this  mean? This means that we can use utilize a lot of   02:17:40,569 --> 02:17:48,160 functionality to exploit or to display the broken  or even more to send this my cookie or you know,   02:17:48,160 --> 02:17:53,470 my token, whatever you want to call it to a server  or to save it, alright, to grab it to steal it,   02:17:53,470 --> 02:17:59,140 you know, simply put, so how can we exploit  this? Well, we can use cross site scripting,   02:17:59,140 --> 02:18:05,350 and this is probably the most used method  for this. And to do this, we can simply,   02:18:05,350 --> 02:18:12,100 we can use any of the, we can use the search, or  we can use the contact. But I like using search   02:18:12,100 --> 02:18:17,290 because usually it is unfiltered. Now, when I  say this, I'm you know, many of you will say,   02:18:17,290 --> 02:18:21,580 Well, most of the big sites, well, I'm not talking  about the big sites, the big sites, obviously have   02:18:21,580 --> 02:18:25,960 to take this into consideration. I'm talking  about sites that are developed by small teams,   02:18:25,960 --> 02:18:32,890 they usually don't take this into consideration.  So if I was to just type in a simple cross site   02:18:32,890 --> 02:18:38,650 scripting script that will essentially display  my cookie right now as I'm authenticated. So to   02:18:38,649 --> 02:18:43,449 do that, I'll just type in script. And for  this, we're using an alert here to display   02:18:43,449 --> 02:18:49,630 to us so alert, and we're gonna say document,  whoops, stop, sorry, document, dot cookie. And,   02:18:49,630 --> 02:18:55,660 and then we're gonna just close the script like  so. So this will display our cookie to us. Not   02:18:55,660 --> 02:19:01,030 really helpful. But you can imagine if we were  to have this permanently posted, for example, as   02:19:01,030 --> 02:19:06,009 a post here, and then whenever we send that link  to someone, and they click on it, we can customize   02:19:06,010 --> 02:19:11,410 this JavaScript code to send their cookie to  our web server. And once we get their cookie,   02:19:11,410 --> 02:19:16,870 you basically know what's gonna happen there. So  if I hit Enter to search, you can see that it's   02:19:16,870 --> 02:19:22,059 going to display our cookie and our token, and  this is extremely dangerous. You might not get   02:19:22,060 --> 02:19:27,430 the context, but I'll explain it in a second. So  essentially, this information can be passed and   02:19:27,430 --> 02:19:33,640 sent anywhere across the world, provided that the  that your target clicks, clicks on a link in which   02:19:33,640 --> 02:19:39,640 this, this script is executed. Now, the question  that you might be asking yourself as well, where   02:19:39,640 --> 02:19:45,071 else can we post this in in sort of a malicious  way and I know that I sound malicious right now,   02:19:45,070 --> 02:19:51,130 but I'll also get into how to mitigate this. And  again, mitigating It is really simple. Just set   02:19:51,130 --> 02:19:59,470 your HTTP status or your HTTP attribute to true or  set it to on essentially securing your cookie now   02:19:59,470 --> 02:20:04,600 You can see that once we have this, you saw in  the previous video, what we could do with such   02:20:04,600 --> 02:20:11,111 information, and what info it contains in regards  to the user. And how we can, we can, you know,   02:20:11,110 --> 02:20:16,839 crack the password. But for now let's focus on how  this can be utilized to steal the cookie or how   02:20:16,840 --> 02:20:23,260 attackers do it. So you can also get insight if  you're a white hat. So usually I can post this in   02:20:23,260 --> 02:20:29,200 here, I can put, you know, I can type the script  in here. But this is not, it's probably not the   02:20:29,200 --> 02:20:34,300 best way of doing it. Because you essentially  have to convince the user to go into the search   02:20:34,300 --> 02:20:40,901 bar and type this in. Not really the best of ways  about going about going about this. So usually,   02:20:40,900 --> 02:20:47,500 we look for a page that allows us to, you know, to  post our own stuff, or to save this to a database   02:20:47,500 --> 02:20:54,460 or to save it to the website itself. So we let's  try contact us. Alright, so contact us. Yeah,   02:20:54,460 --> 02:20:59,740 that looks like a good place to start. So in the  comment you it already added our author for so in   02:20:59,740 --> 02:21:05,650 the comment, we can enter, we can end our script  in Yeah, and this will probably probably be saved.   02:21:05,650 --> 02:21:11,740 But we have to test it. Now. Of course, the cookie  stealing JavaScript code is not something that I'm   02:21:11,740 --> 02:21:15,250 going to be telling you how to do, you can  probably perform a lot of Google searches,   02:21:15,250 --> 02:21:21,700 it's part of the terms that I have to follow.  In regards to YouTube's YouTube's policies   02:21:21,700 --> 02:21:27,730 about malicious content, and when what not,  so I'm not going to show you the exact code,   02:21:27,730 --> 02:21:32,890 but I'll probably have it on my website, if you  want to take a look at it and experiment as to how   02:21:32,891 --> 02:21:41,111 to send cookies to a another server or server that  belongs to you, for example. So to do this, so now   02:21:41,110 --> 02:21:45,940 essentially, what I want to do is I want to save  this script, into the contacts section, because   02:21:45,940 --> 02:21:52,570 I believe this is saved. If I looked, I looked at  the structure. And indeed, this is saved. So the   02:21:52,570 --> 02:21:57,880 script is quite simple. So we can say, we can  give it a title because I know the feedback is   02:21:57,880 --> 02:22:07,840 left like that. So we can say script test. And we  can close the script here. So scripts, but then we   02:22:07,840 --> 02:22:13,391 have to include the the actual JavaScript code. So  yeah, so let's include this script within the main   02:22:13,391 --> 02:22:19,300 one. So script. And then once we close this one,  we can then use the other script. So your script,   02:22:19,300 --> 02:22:23,920 whoops script in, you can copy this code if  you want. By the way, let me just zoom in,   02:22:23,920 --> 02:22:27,400 because a lot of you had actually talked to me  about that, that you couldn't actually see the   02:22:27,400 --> 02:22:33,730 code. So script. And now we want to bring up  the alert. Now, of course, as I said, this is   02:22:33,730 --> 02:22:37,929 not really useful, because all you're doing is  displaying the cookie to the user themselves,   02:22:37,930 --> 02:22:48,521 once they visit this page, so you probably  get the idea. So script, alert, and we are   02:22:48,521 --> 02:22:52,811 just simply just going to write the document, of  course, it's all sending it to a malicious server,   02:22:52,811 --> 02:22:58,061 what I would have done is I would have used the  document dot cookie, and I would have appended it   02:22:58,061 --> 02:23:06,670 to be sent in in the form of probably a PHP file  or a PHP GET request to my server, and then my   02:23:06,670 --> 02:23:12,280 server would log all of the information being sent  back. So that's the concept there behind so we can   02:23:12,280 --> 02:23:19,869 then close the script here. And sorry, we have to  actually close the script. Oops, sorry, my bad.   02:23:19,869 --> 02:23:26,140 And then we close the script there. And finally,  we can close the final script ending here. So   02:23:26,140 --> 02:23:33,400 script and there we are. And we can leave a  rating if we want to. And there is a CAPTCHA here   02:23:33,399 --> 02:23:39,939 authentication 10 plus five. You You basically,  this is also an exploit here that you can enter.   02:23:39,939 --> 02:23:46,419 Because if you look at this very basically, from  a simple perspective, the capture here is again,   02:23:46,420 --> 02:23:53,230 is another false positive. And again, I know I'm  dragging this, I'm dragging it a lot. But But what   02:23:53,229 --> 02:23:58,809 I'm trying to explain here is, if you are going  to, you're going to be performing a penetration   02:23:58,810 --> 02:24:05,380 test on a web site, you need to understand that,  from the perspective of false positives, you   02:24:05,380 --> 02:24:11,770 should not go after the big exploitations or the  big exploits first. Alright, so if I submit this,   02:24:11,770 --> 02:24:17,650 as I know the structure of the OSU shop, this will  be submitted to one of the pages in which after   02:24:17,649 --> 02:24:24,099 I click, or any other user who is authenticated  clicks, will will run that script, or this script   02:24:24,100 --> 02:24:29,920 and will the cookie will be displayed on the  screen. And if you want to manipulate or use   02:24:29,920 --> 02:24:35,949 your own script to send the cookie to your server,  by all means go and do that. I'm not condoning it.   02:24:35,949 --> 02:24:45,159 So that is 75. And I hit submit. And what nots  wrong capture 10 plus five, actually, 25. Yes,   02:24:45,159 --> 02:24:50,380 brackets of division multiplication addition, you  guys must be thinking I suck at math. So that is   02:24:50,380 --> 02:24:58,390 25 plus five, plus 10. Sorry, that's 3535. And I  submit that whoops, we have to actually type our   02:24:58,390 --> 02:25:03,550 code back in Sorry about that, guys. So we can  just type in script, and we're simply testing   02:25:03,550 --> 02:25:11,380 test. And then after this, we can close the first  one. And script here. Whoops, sorry about that my   02:25:11,380 --> 02:25:20,739 keyboard is quite a distance from me. Alert. And  my spelling mistakes are really annoying script.   02:25:20,739 --> 02:25:30,519 And finally, we can use the document. My God, man  my typing document dot alert dot cookie, sorry,   02:25:30,520 --> 02:25:35,980 we are we have already sent the alert, we will  use the doc document, that alert would essentially   02:25:35,979 --> 02:25:43,569 display the entire webpage, document dot cookie.  And in here, we close the first script. And sorry,   02:25:43,569 --> 02:25:50,619 the the initial script. And then we close the  last one year. So script. And we close that right   02:25:50,619 --> 02:25:56,199 there. And finally, we can give this a rating and  resubmit. And that should submit it. I don't know   02:25:56,199 --> 02:26:00,939 what the issue is here. And then there we are.  Also some Alright, so there we are. Thank you for   02:26:00,939 --> 02:26:07,539 your feedback. So you did submitted there. Let me  zoom back out. Now, you can see that, where would   02:26:07,539 --> 02:26:13,419 you go to launch the script? That's, that that  will be the question that you might be asking.   02:26:13,419 --> 02:26:18,430 So on this in this structure, you can pretty much  experiment with all the other pages. And again,   02:26:18,430 --> 02:26:23,709 I do recommend that you use you know directory  discovery tools, like there Buster go buster,   02:26:23,709 --> 02:26:29,800 whatever is comfortable for you. So with this  in mind, if I was to just click on About Us,   02:26:29,800 --> 02:26:36,430 you can see that that is where the the the  feedback in regards to contact is stored.   02:26:36,430 --> 02:26:41,770 So there you are, there's the cookie. And if  I was to if I was to have implemented a script   02:26:41,770 --> 02:26:48,249 that would send the cookie to my server, once  I access to this page as an authenticated user,   02:26:48,249 --> 02:26:55,989 it would send my my session ID all of that good  stuff to my web server, I now be able to crack the   02:26:55,989 --> 02:27:01,479 password and authenticate with your account. As  simple as that without ever knowing your password   02:27:01,479 --> 02:27:05,918 without ever trying to have guessed it without  without ever trying to have exploited your system.   02:27:05,919 --> 02:27:12,399 I exploited the web application. And because  of the the ability of the developer of the web   02:27:12,399 --> 02:27:18,189 application to secure the cookies, I was able to  get into your account and god knows what else you   02:27:18,189 --> 02:27:24,009 can do in that person's account. And this is you  know, this is tribute to my all my Facebook hacker   02:27:24,010 --> 02:27:30,880 friends out there who think hacking Facebook is  about cracking and brute forcing. There you go,   02:27:30,880 --> 02:27:36,039 you know, web applications can can be cracked  in or can be exploited in different ways. Now,   02:27:36,039 --> 02:27:40,749 of course, as I said, it's going to get really  exciting as we move along with Duchamp. And   02:27:40,749 --> 02:27:47,030 that's the reason I'm using it because it explains  how this can be done on a real website. And yeah,   02:27:51,021 --> 02:27:56,691 we're going to be looking at OWASP juice shop. And  it seems to replicate what a real web application   02:27:56,690 --> 02:28:03,110 would be a fairly poorly designed one. But the  thing I like about it is, it has varying levels,   02:28:03,110 --> 02:28:08,690 levels of difficulty. And that's really,  really awesome. I have it set up on Heroku,   02:28:08,690 --> 02:28:13,759 as you can probably see right over here. And that  works perfectly fine for me because I you know,   02:28:13,760 --> 02:28:18,380 I wanted to set it up really quickly, I want to  run it on my local server, you know, using node   02:28:18,380 --> 02:28:24,320 or Docker. That's really is, I really didn't have  the time to do that. But if you want to you can,   02:28:24,320 --> 02:28:29,750 you can use Heroku. And it should be free for  you. So yeah, definitely go ahead and give it   02:28:29,750 --> 02:28:34,190 a try. And you should have a an instance set up  for yourself. So you can go ahead and do it. And   02:28:34,190 --> 02:28:39,290 it's giving us a prompt here telling us that  this website uses fruit cookies to ensure you   02:28:39,290 --> 02:28:45,530 get the juiciest tracking experience. Now, from my  experience, I would hit accept the cookies because   02:28:45,530 --> 02:28:52,220 essentially, that's what keeps track of your  progress. And yeah, that's pretty, that should   02:28:52,221 --> 02:28:58,580 be quite good. Now as for my browser, I'm using  the latest version of Firefox and I have you know,   02:28:58,580 --> 02:29:03,860 plugins or add ons like cookie editor. And that's  pretty much what we'll be needing In this video,   02:29:03,860 --> 02:29:10,460 I hope and we don't have the the proxies here like  sorry, Foxy proxy to allow us to use things like   02:29:10,460 --> 02:29:17,391 burp suite or zap whatever you want to use. OK,  so let's get started. Now the first challenge,   02:29:17,391 --> 02:29:23,960 as I believe is to get the the scoreboard and  we should start from there. And to do this,   02:29:23,960 --> 02:29:29,300 I think I have done this already. That's really  very simple. All we need to do is well first of   02:29:29,300 --> 02:29:34,700 all before we actually do that, the interface is  quite simple. It is a juice shop as you probably   02:29:34,700 --> 02:29:39,950 can see and could have understood and they  sold juice. Now the great thing that I like   02:29:39,950 --> 02:29:45,800 about OSU shop is that this replicates a real  life a web application with you know, security,   02:29:45,800 --> 02:29:51,111 misconfigurations, etc, etc. So if I log in,  you have your login page right over there, man,   02:29:51,110 --> 02:29:56,509 you can create a new account if you want to, you  can search where the Contact Us page allows us to,   02:29:56,510 --> 02:30:01,460 you know, essentially contact whoever is behind  the site. Then we have an About Us page. And   02:30:01,460 --> 02:30:07,311 the thing I like about this is, as I said,  it replicates what I would call a real web   02:30:07,311 --> 02:30:13,701 application. Now when you talk about, about the  scoreboard, I think that can be accessed really   02:30:13,700 --> 02:30:19,970 quickly by going into scoreboard like so. So, you  know, we can just hit scoreboard. And if I enter,   02:30:19,970 --> 02:30:24,651 that should give us the scoreboard. Alright,  so it gives us the notification once you've   02:30:24,650 --> 02:30:28,969 completed the challenge, and the reason it does  this is to notify you of your progress. Remember,   02:30:28,970 --> 02:30:34,250 this can be considered a capture the flag type  of challenge, but I wouldn't call it this I think   02:30:34,250 --> 02:30:38,690 this is fantastic for essentially explaining the  concept here. Alright, so let me explain how the   02:30:38,690 --> 02:30:44,360 scoreboard is essentially works. Alright, so  a scoreboard is as follows. Sorry about that,   02:30:44,360 --> 02:30:49,099 if you had my phone, it always seems to do  that. So we have, we have the challenges   02:30:49,100 --> 02:30:53,630 sorted in terms of difficulty. So we have a  one star, two star, three star, four star,   02:30:53,630 --> 02:30:58,970 five star and six star. And they all have  various challenges within them. So for example,   02:30:58,970 --> 02:31:04,491 the the difficulty sought in terms of star so you  get the idea, one star is quite easy, two stars,   02:31:05,300 --> 02:31:10,191 you know, not so easy, we have three stars,  things are getting a bit sweaty here, four stars,   02:31:10,190 --> 02:31:16,490 now we're talking five stars, I'm banging my head  on the wall, and six stars, that's going to take   02:31:16,490 --> 02:31:22,070 you probably a few, a few days, or, you know,  hours depending on your determination. Alright,   02:31:22,070 --> 02:31:26,840 so you can see it also gives you the gives you  the challenge names here. So if I click on the   02:31:26,840 --> 02:31:31,370 two star challenges, you can go ahead and look at  the challenges there. And we brought I think in   02:31:31,370 --> 02:31:35,990 the previous videos, we covered a lot of the two  star and three some of the four star challenges   02:31:35,990 --> 02:31:40,460 that we wanted to go through. So the three star  challenges are where things get really awesome,   02:31:40,460 --> 02:31:46,910 because it does start logging in with other  users. And there's a bit of cross site scripting,   02:31:46,910 --> 02:31:51,500 I'm not going to go through all of that,  let's start off with what we can do. Alright,   02:31:51,500 --> 02:31:59,540 so the first challenge in the first is access the  administration section of the store, or right,   02:31:59,540 --> 02:32:03,800 so I'm guessing we have to try and log in, I  think I've done this, this is the first challenge,   02:32:03,800 --> 02:32:12,680 we have to access a confidential document provoked  an error. That is not gracefully, very gracefully   02:32:12,680 --> 02:32:18,890 handled, not to show that is let us redirect you.  I'll try and cover as many as I can. In one video,   02:32:18,890 --> 02:32:23,661 we have cross site scripting attack. This was  simple. I think we covered this. So yeah, we can   02:32:23,660 --> 02:32:29,360 pretty much run that in one of these right over  here. So script, and alert, as it already gives   02:32:29,360 --> 02:32:35,089 you hints these are very, very easy. So I can  just say test. Have I given the OP Sorry, my bad.   02:32:35,090 --> 02:32:42,710 So yeah, there we are test. And we close that up.  And we also close the script right over here. And   02:32:42,710 --> 02:32:49,939 we hit Enter. And there we are. So that is one of  the challenges solved, hopefully did pop up there.   02:32:49,939 --> 02:32:55,849 So if we go back to the scoreboard, it still  tells us for some reason, the web application is   02:32:55,850 --> 02:33:00,920 too low, it's not told us that we have performed a  reflected cross site scripting, all those I don't   02:33:00,920 --> 02:33:06,200 know, right, so reflected. Anyway, we'll get to  that when we get to it. So if we inspect the login   02:33:06,200 --> 02:33:11,570 page, what we can do is we can create a user. So  I'm going to create a user here. And I'll just use   02:33:11,570 --> 02:33:18,259 a simple user here called test@test.com. And the  password or call that password. And I'm going to   02:33:18,260 --> 02:33:27,770 repeat the password here. And I'll just call the  password password. And I'm just going to use name   02:33:27,770 --> 02:33:32,720 of your favorite pet. And I'm just going to say  dog right over here. I'm going to hit register.   02:33:32,720 --> 02:33:38,510 And we're going to save that. Alright, so I can  log in now. Did I log in with the correct test?   02:33:38,510 --> 02:33:43,520 Yeah, there we are. And we're going to log in,  and we are logged in. Alright, so let me just   02:33:43,520 --> 02:33:49,340 zoom out. So the interface does not really crashed  on us. Let me just get rid of that. All right,   02:33:49,340 --> 02:33:54,260 so it's sorted out really well. We have the  language selector here your basket, which   02:33:54,260 --> 02:34:01,010 essentially allows you to select your to view the  items in your basket, you then have your coupon   02:34:01,010 --> 02:34:05,690 if you want, if you want to use a coupon and you  have your checkout, which essentially I believe   02:34:05,689 --> 02:34:11,899 takes you to the the OWASP juice shop, donate  page if I'm not wrong. Let's just see if that   02:34:11,899 --> 02:34:18,259 is correct. Yeah, yeah. So if you want to support  the project, I would, you know, you can donate to   02:34:18,260 --> 02:34:25,730 them. It's a really great project. I really do  recommend that if you can you do so. So you can   02:34:25,729 --> 02:34:29,870 change your password, which is awesome. I think  we also took a look at this and how to change   02:34:29,870 --> 02:34:38,650 it using using the GET requests. Contact us where  you can necessarily write in, you can contact the   02:34:39,910 --> 02:34:47,740 person via the site or the administrator as I  would believe. You can comment, recycle recycle   02:34:47,740 --> 02:34:57,011 what this requester recycling box so you can type  in liters here that has a selector. Alright, okay,   02:34:57,011 --> 02:35:02,200 that's not too bad. We have a complaints board.  And the scoreboard itself here, which for some   02:35:02,200 --> 02:35:07,211 reason, keeps doesn't really load. So let's try  and work on the first section. As I mentioned,   02:35:07,211 --> 02:35:12,671 I'll try and cover as much as I can here. And  you have the About Us here that has some sort of   02:35:12,671 --> 02:35:21,221 Let's see some sort of checkout or boring terms  of views. Let me just check the scoreboard what   02:35:21,221 --> 02:35:28,031 exactly are we supposed to do? Because access the  administration section? What's in the two star   02:35:28,030 --> 02:35:32,080 here? login with the administrator. All right, so  we're trying to access the administration section.   02:35:32,080 --> 02:35:39,221 So let's try and access that right over here.  So I'm just gonna type in admin administration,   02:35:39,221 --> 02:35:45,731 like so I'm gonna hit Enter. And yeah, that was  pretty easy. And we get the email right over here,   02:35:45,730 --> 02:35:54,130 admin and do shop. That's the admin email. And we  have all the emails right over here. So we have   02:35:54,131 --> 02:36:02,981 you met juice, juice shop, Bender, and some other  uses. And we have also, yeah, alright, so we got   02:36:02,980 --> 02:36:09,610 the registered users customer feedback, and the  recycling requests that have been posted so far.   02:36:09,610 --> 02:36:14,590 Which means you're starting from the basics.  So I think we can try and log in with admin,   02:36:14,591 --> 02:36:22,016 but we don't know the password. So yeah, so I'm  just going to log out. And let's see if we can log   02:36:22,016 --> 02:36:29,290 in with the password here. admin, I do shop, and  I probably I'm probably guessing we have to use   02:36:29,290 --> 02:36:33,580 SQL injection. And in this case, I think I know  what to do, because I have done this before. But   02:36:33,580 --> 02:36:38,801 it has been changed quite a bit since the last  time because I think in the previous versions,   02:36:38,801 --> 02:36:44,829 it was with admin only, there was no domain  oza username, I'm not too sure. Anyway,   02:36:44,829 --> 02:36:51,159 let's try and see if we can throw some  errors here. So if I log in, alright,   02:36:51,159 --> 02:36:55,239 so that means you have to provide a password. So  let me just try and use the single quotation. And   02:36:55,239 --> 02:36:59,559 let's see if that Yeah, it does throw an error.  And there Yeah, we completed the other challenge,   02:36:59,560 --> 02:37:04,450 which you successfully solved the challenge error  handling provacan errors here. So essentially,   02:37:04,449 --> 02:37:09,279 performing error enumeration, if that's something  you've never heard of, it's essentially where you   02:37:09,279 --> 02:37:14,529 just try and see all the CE o 's fuzzing really  just throwing, you know, information at the   02:37:14,529 --> 02:37:21,279 system, seeing how it responds. And we get here  the query. So we are performing SQL injection,   02:37:21,279 --> 02:37:26,769 because as you can see, tells us here we have  the the query right over here, which is telling   02:37:26,770 --> 02:37:34,030 us select and what this is saying is select  all entries from the user table where emails   02:37:34,029 --> 02:37:43,059 are equal to and we specify the single quotation.  And the password is what is this? This looks like   02:37:43,060 --> 02:37:52,480 a hash? What hash is this? Let me just check. I'm  think it might be MD. Five, I'm not too sure. Let   02:37:52,479 --> 02:37:59,139 me just check this hash identifier. And we just  paste that in there. Sorry about that. Let me   02:37:59,140 --> 02:38:05,320 just paste that in there. Yeah, this is an MD  five hash. So that probably let's just see if   02:38:05,319 --> 02:38:11,769 we can decrypt that or decode that. So I'm just  gonna say MD five decrypter, or something like   02:38:11,770 --> 02:38:17,650 that. Let's just see if we can do this online  really quickly. Come on, come on. I want to see   02:38:17,649 --> 02:38:24,549 what error because that's, that's a password.  Let's decrypt that. And we'll for some reason,   02:38:24,550 --> 02:38:29,890 it's taking too much time here. So yeah, yeah,  it's essentially hashing the password. Alright,   02:38:29,890 --> 02:38:36,669 interesting stuff there. We actually now know that  the password is being hashed, obviously, you know,   02:38:36,669 --> 02:38:43,239 with the Mt. Five, hashing algorithm or protocol,  whatever you wanna call it. So original. And yeah,   02:38:43,239 --> 02:38:50,800 that is the query statement there. So we can try  some basic SQL injection. And some of the basic   02:38:50,800 --> 02:38:57,240 ones to log into admin or to essentially log  into the administration, the admin panel is,   02:38:57,240 --> 02:39:02,820 now the thing that's weird is are we going to use  the password do we're trying to get authentication   02:39:02,820 --> 02:39:08,400 so that means let me disclose that. That means  if we just throw the error one more time,   02:39:08,400 --> 02:39:16,110 or get the when you were able to get the query  here. So we are saying select actually start from   02:39:16,110 --> 02:39:24,001 there. Select from users, so select all queries,  all entries from the user table, from where email   02:39:24,001 --> 02:39:32,581 use the table. So there's users Alright, so the  user, the user table as email and password, okay,   02:39:32,581 --> 02:39:41,070 I follow now. So that means we can try we can  try, we can try and use the or statement here.   02:39:41,070 --> 02:39:47,610 And probably we can use the not statement if we  are going to Yeah, that will make a lot of sense,   02:39:47,610 --> 02:39:52,590 but we only using email so we'll keep the  single quotation. So what that means is,   02:39:52,591 --> 02:40:00,901 is if you know about SQL injection, hopefully I  can explain what's going on here. So we know that   02:40:00,900 --> 02:40:07,171 the password is being hashed, we're saying select  from the table where email and password. So that's   02:40:07,171 --> 02:40:13,110 the statement. So select from the table for sort  of select from the users table where the email   02:40:13,110 --> 02:40:21,270 and password is going to be equal to is going to  be equal to what we have entered. But remember,   02:40:21,271 --> 02:40:28,231 the the password has to be has to stay as the  single quotation. So that means your we are   02:40:28,230 --> 02:40:32,820 going to be using the or so this is basic use,  you guys should be knowing this, but if you want   02:40:32,820 --> 02:40:39,001 me to cover it, let me know so or equals or so or  one equals one. And the other ways of doing this,   02:40:39,001 --> 02:40:44,700 I think I'll post a cheat sheet in the description  section, you can check it out for yourself just   02:40:44,700 --> 02:40:50,251 to get up to scratch with what's happening. So  what we're saying is we're using the or the or   02:40:50,251 --> 02:40:56,671 the syntax of or is very simple. It's where we  have the what's happening here is we're seeing,   02:40:56,671 --> 02:41:03,030 we're seeing Okay, so if you know the syntax  for how a query is made in SQL, it's really   02:41:03,030 --> 02:41:09,120 very simple. So we're saying select from, from  the table, remember, this is specifying a table,   02:41:09,120 --> 02:41:15,600 not a column. So it says select from the  users table from select from the users table,   02:41:15,601 --> 02:41:22,321 email password, so comparing and then we say  all the new specify the condition with a value,   02:41:22,320 --> 02:41:29,850 we can enter our into fields. So we can say the  value of the email can always be changed. And we   02:41:29,851 --> 02:41:33,720 obviously know that that is the first account  that was created. And the password is going to   02:41:33,720 --> 02:41:40,231 remain the same. So we hit login. And yeah, we  get still keep on getting an error here. Now,   02:41:40,230 --> 02:41:48,480 that is weird. No, because if I specify there is  no comment here, or one equals one, yes. So it is   02:41:48,480 --> 02:41:57,959 working. So you can see. So select from users,  where one equals one and password. Yeah, so we   02:41:57,960 --> 02:42:03,000 want to nullify and password we don't want and  there. So for that we use the user comment here.   02:42:03,000 --> 02:42:09,690 And there we are. Excellent. So we're able to log  in to the administrators use account. Alright,   02:42:09,690 --> 02:42:14,639 so let me explain what happened there. So as I  said, the the syntax of the query was as follows   02:42:14,640 --> 02:42:20,911 we're selecting from the users table, we're  selecting the email and password and comparing   02:42:20,910 --> 02:42:25,080 them to each other. So they have to match show  up, you're performing a query, a simple query,   02:42:25,080 --> 02:42:31,740 and what we said is, or that's a conditional  statement. So we're saying or that we specify   02:42:31,740 --> 02:42:37,320 the condition where the first value is going to  be equal to the the, the first one is going to   02:42:37,320 --> 02:42:43,980 be equal to one, and we nullify the, the password  where the password was we're essentially removing   02:42:43,980 --> 02:42:49,440 authentication. And we are what because we're  including the comment syntax for SQL. Alright,   02:42:49,440 --> 02:42:55,049 so that was pretty simple. But now, the thing  that's bothering me is we don't have the   02:42:55,050 --> 02:42:59,670 password. So let me just check the scoreboard.  And let's see what progress we've made so far.   02:42:59,670 --> 02:43:08,910 So have access administration section that's  not in here that is in here. So log in with the   02:43:08,910 --> 02:43:14,280 administrators use account. Marino the password.  So I think that's how we're going to be logging   02:43:14,280 --> 02:43:22,770 in. We know the email, because if I just go back  into administration here, administration, I hope   02:43:22,771 --> 02:43:32,611 the video is not getting too long. So we have the  admin. We have the admin email here. Um, oh, yes,   02:43:32,610 --> 02:43:39,390 yes, yes, yes, we have the token. So if we inspect  the element, and we go into the cookie editor,   02:43:39,391 --> 02:43:43,981 for example, we can use that or you can just use  storage. But I should have done it, you know,   02:43:43,980 --> 02:43:49,230 from the cookie editor from the beginning. So we  have the the token here. And I talked about this   02:43:49,230 --> 02:43:54,720 in my other video actually went through this  with the token. So. So we're gonna say token,   02:43:54,721 --> 02:44:01,921 I think the site was it's a JSON tokens, a token,  decode, and should be the first site here, the   02:44:01,921 --> 02:44:09,301 JSON web token. So jw t.io. That's an excellent  site. And we talked about this. So if you want to   02:44:09,301 --> 02:44:15,511 watch that video, I'll post it in the description.  So you can check it out. And the email is admin.   02:44:15,511 --> 02:44:20,071 So that's the authentication token, and that  gives us all the information we need. All right,   02:44:20,070 --> 02:44:26,700 so we have the password here. But again, what is  this hashed into? That looks like MD five again,   02:44:26,700 --> 02:44:30,331 but let me just confirm, and let's see what  that gives us. So the password is hashed,   02:44:30,331 --> 02:44:40,051 as we know with MB five, so let's just confirm  hash identifier, because there we are. Yeah,   02:44:40,051 --> 02:44:46,021 it is MD five. So let's just decrypt that one more  time. So I'm just gonna paste in that hash there.   02:44:46,021 --> 02:44:53,011 I'm just going to decrypt let's give that a few  seconds. Oh, my God, man, all the traffic lights.   02:44:53,011 --> 02:45:02,761 And let's hit verify. And yeah, there we are. The  password is I mean 123 Yeah, that's that's pretty   02:45:02,761 --> 02:45:07,891 basic, but again, replicating common practice  that you would find. So what was the email? Oh,   02:45:07,891 --> 02:45:15,331 boy, what was the email? Let me just log back  out. Correct. All right. So let me just use the   02:45:15,331 --> 02:45:22,230 statements. Oh, yeah. So we're logging in. So all  one equals one, because we're all the waters the   02:45:22,230 --> 02:45:27,210 I think we can access the the middle from the  administration. Sorry about that, guys. I know,   02:45:27,211 --> 02:45:32,959 I'm getting really mixed up. Well, we're  not logged in yet. So anyway, let me just   02:45:32,959 --> 02:45:41,480 log in. And we can do the administration here.  stration. And the admin I do shop at juice shop,   02:45:41,479 --> 02:45:48,229 a juice.up. Yeah, that's there to confuse  people. So you can guess it? And we're   02:45:48,229 --> 02:45:54,829 logging in with that. And the password is  admin 123. We're going to log in, and yeah,   02:45:54,829 --> 02:46:01,099 fantastic. So you solve the challenge password  strength. So that was the problem there. That's   02:46:01,099 --> 02:46:05,329 the vulnerability that they're trying to say  exists. So you know, again, password strength is   02:46:05,329 --> 02:46:10,609 something that people don't take into account,  login within message user credentials, without   02:46:10,609 --> 02:46:15,289 previously changing them or applying SQL. Could  you have done this with SQL injection? Probably,   02:46:15,289 --> 02:46:19,849 I'll have to cover SQL injection, because we know  SQL injection is one of those things that's really   02:46:19,849 --> 02:46:26,660 dependent on the query. So let me just go back to  the scoreboard here. I don't understand what else   02:46:26,659 --> 02:46:31,999 is left. There's still a lot of stuff that have  to cover. I talked about cross site scripting,   02:46:31,999 --> 02:46:39,109 but I think I'll cover that in the next video.  We'll explain it again. What is the what is the   02:46:39,109 --> 02:46:48,529 the confidential document error handling? Or we  don't have anything much they're actually someone   02:46:48,529 --> 02:46:56,058 else's basket? I did that. What else should I want  to cover here? Let's look at these ones right over   02:46:56,059 --> 02:47:02,660 here. So yeah, so the authentication area here  is where I want to look at. I think that's where   02:47:02,659 --> 02:47:06,409 I'm going to end this video. I know, I haven't  covered any advanced stuff. But hopefully that's   02:47:06,409 --> 02:47:11,359 like an introduction. So where we, where we have  been able to log into the administration in the   02:47:11,359 --> 02:47:17,178 administrators account, we are able to get the  scoreboard the administration panel, what else   02:47:17,179 --> 02:47:23,030 were we able to do? We were able to provoke  an error, not saying no nothing really complex   02:47:23,029 --> 02:47:30,979 there. And we were able to log in with the admin  tree at the administrators group user credentials.   02:47:30,979 --> 02:47:38,268 Now we looks like we can actually get access to  Max's search original users credential so again,   02:47:38,269 --> 02:47:42,709 another user that we can try and get access into.  Yeah, that's gonna be it for this video. Guys. If   02:47:42,709 --> 02:47:46,280 you found value in this video, please leave  a like down below. If you have any questions   02:47:46,280 --> 02:47:50,540 or suggestions, let me know in the comment  section on my social networks or on my website,   02:47:50,540 --> 02:47:55,700 and I'll be sure to leave your reply and I'll  be seeing you in the next video. Peace, guys.