Ethical Hacking 101: Web App Penetration Testing - a full course for beginners

Ethical Hacking 101: Web App Penetration Testing - a full course for beginners

SUBTITLE'S INFO:

Language: English

Type: Human

Number of phrases: 1770

Number of words: 37596

Number of symbols: 149396

DOWNLOAD SUBTITLES:

DOWNLOAD AUDIO AND VIDEO:

SUBTITLES:

Subtitles prepared by human
00:00
Hey guys, hackers, Floyd here. And in this  video, we're going to get started with the web   application penetration testing series. Alright,  so a lot of you guys have been asking for this,   mostly because you want to learn the art of bug  bounty. And here is the series. So have worked   really, really hard on, you know, making it as  comprehensive as possible, we're going to get   started with setting up burp suite. So for those  of you who don't know, what works, who it is,   burp suite is essentially an integrated  platform for performing security testing   of web applications. Alright, so the first thing  you need to understand is that it will allow us to   intercept the data being sent between your browser  and the web application. So it's, it's a great way   of understanding how data is being transferred,  and how data can be manipulated, be manipulated,   between the client, and obviously, the web  application. Okay, so the tool we're going to be   using, as I said, is burp suite. And I'm currently  running power to us. So don't worry, if you're   running Windows or Kali Linux, it doesn't really  matter, all we need to do is just download and  
01:01
install burp suite, it's pretty simple to get set  up, you don't have to register, you just download   the free community version. Now, obviously down  the line, you might choose to buy the professional   version, which I do recommend and I have used,  but I don't use it as often I'm not, you know,   specifically a web penetration tester, I'm more of  a more of an of a web server penetration tester.   So I really work with a different vectors. So  by default, you can choose to bite that one to   become experienced. And you know, you've chosen  whether this is the path that you want to pursue,   it's a fantastic path. I know a lot of people who  you know, make good money with bug bounty. So you   know, it's something that you can look into  as well. Alright, so let's get started with   setting up the proxy. Alright, so this is the  intercepting proxy that allows us to, obviously,   to intercept the data being sent to and from the  client and the, the web, the web application.   So to do that, we need we can just do it through  Firefox. So the browser I'll be using is Firefox,  
02:05
you can use whatever you want. And by default, you  want to go into your preferences that can be found   here preferences, there we are. And you want to  go all the way into the bottom here. That way it   has the network proxy, and make sure you go into  settings, and you want to go into manual proxy   configuration. Alright, so this is where we're  going to configure it to be the localhost with   the port set at 8080. All right, and then you want  to make sure that this, you use the server proxy   for all protocols. So that is the proxy we're  going to be using and just hit OK. Alright, and   once that's done, you should be good there. Now  what you want to do is just open up burp suite, so   you can search for it, or I have it already on my  on my little Taskbar here. And I don't think I've   updated it for a while. So I probably need to do  that later. But for now, I'll just close that the   update prompt and it's going to prompt you Welcome  to burp suite. And it's going to say not depending   on the version that you've chosen to select  whether you've chosen the community version,   which is what I have here, or the free version, as  it's called, and you then have the pro version. So  
03:10
by default, the community version only allows  you to use a temporary project, if you have the   professional version that allows you to save your  project, which is, you know, great functionality   as well. So just hit next and you just want  to use the verb defaults. And just hit start.   And just give that a few seconds to start it up.  Alright, and I'll explain the interface generally,   but we'll be looking more into how burp works.  In the next video, I just want to get you set up   with birth in this video, and you understand what  exactly is going on. Alright, so welcome to birth.   Now by default. Again, it may seem a little bit  intimidating mostly because if you're a beginner,   you have not heard of any of these of these words  here and you don't really know what they're doing.   Alright, so by default, you have your target proxy  spider scan into the repeater, sequencer, decoder,   compare extender, your project options, your user  options, and alerts, we'll be going through all   of this as we as we, you know, perform real  world testing on our on our vulnerable on our  
04:10
vulnerable target, I'll be showing you how to  set up a dam vulnerable web application soon,   and many others but for now just focus on burp  suite. Alright, so by default, you want to just   go into proxy. Alright, and for some reason, I  already have some data here. So you know what, I'm   just going to leave that as it is, I just want to  turn our intercept off. So we're not intercepting   any traffic as of yet. And you want to go into  your options. And you want to make sure that your   proxy listeners, as you can see, burp proxy uses  listeners to receive incoming HTTP requests from   your browser. So you want to make sure that your  proxy is set as the as the one we set in Firefox,   which is the localhost 120 7.0 point 0.1 and the  port is 8080 and make sure that that is running.   Alright, you can also create your own and add it  here and you're going to To remove it, so you get   the idea. Now by default, if I just go back to  my intercept, if I just go back to my browser,   and this is where the real magic happens,  if I just, you know, if I just open this,  
05:12
and I type in a simple test site example.com, and  I just hit enter, alright, it's going to load it   up here. But if we're going to burp suite, and I  go into HTTP history, you can see that by default,   there are some Firefox portals. You know, some  get methods here. But we'll be looking at all of   these methods or requests. By default, you can see  that the example.com, the example.com, one would,   you know, that we ended, you can see there is a  get request. And furthermore, if you go down to   the bottom here, you can see there is some more  information regarding now what a request are sent   to the web application. Or so by default, you can  see that the host was example.com. And it gives   you more information, like the Accept language,  the encoding, the connection. And if you look at   the headers, you can see that the header shows,  you know very clearly, you have your get host,   use agent accept language, the Accept encoding,  connection, etc, etc. So you might be a little bit  
06:15
confused if this is your first time hearing about,  you know, headers, and the request and response   pairs. But don't worry about that we'll get to all  of this for now, if I just go back into intercept,   and let me just open up my browser here. And  we open something like the my web, my website,   would you say it just like.com. So before we do  that, I just want to hit intercept on. Alright,   so now it's going to intercept actively. And we  just go into Hs pro.com. And I hit go. Alright,   now by default is going to tell me that  essentially, the mic connection is not secure,   don't worry about this, just go into your and  just add this as an exception. There we are   made confirm exception. And now it's still not  going to load the website. And the reason being   is we have not forwarded the request. And they are  being intercepted by burp suite. Alright, so if I   go into back into burp suite, you can see that it  has started the intercept process. And by default,   you can see that we need to forward we need to  forward the request here. So if I just forward it,  
07:21
let me just for that again, there we are, let  me just for them for hackers out there. Yeah,   that's the correct one. So all for this again.  And there. We also know hackers blade should   be up and running. And as you can see, I should  have loaded the site. Give that a few seconds.   There we are. Alright, so as you can see, that  is how you intercept the data that is being sent   from the client to the web application. And  furthermore, that's how you, you can analyze   the data being sent, and furthermore manipulated  to obviously find vulnerabilities within the web   application. Alright, so irregardless of all  of this, I know, this was very, very basic,   and it's not really covered anything in terms  of web application penetration testing. But   don't worry about that, you know, we start off  really, really simple. And we build on that.   We're going to get started with spidering, more  specifically spidering, with burp suite. And,   you know, the purpose of this video or this  tutorial, is to help you understand the   spidering process and how to go about doing  it with a burp suite. Alright, so there's   going to be a little bit of theory here, but  I'll be explaining a lot of things. So again,  
08:27
this video is really focused on understanding  spidering. Now, before we get started with that, I   just wanted to let you know that the target or our  web application that we're going to be targeting,   we're going to be attacking is the damn vulnerable  web application. Now, if you don't know what the   damn vulnerable web application is, that's fine,  you can just Google it. And I'll probably make a   video on how to get it installed on Kali Linux.  But what I would recommend if you're, you know,   beginner, or even if you're a professional in  hacking, probably one of the best things that you   need to have, you know, in your kit is Metasploit  able to write and for the simple reason that it   contains, first and foremost a vulnerable  operating system. And secondly, it contains   all the vulnerable web applications that we will  be using at one stage during this series. Okay,   so we're going to be starting off with the  damn vulnerable web application. As I said,   it comes pre installed with meta splittable, too.  So all you need to do is get the local IP address   on your mat, exploitable to virtual machine,  which in my case is 190 2.1 68 point 1.1 a dupe.  
09:29
So what I'm going to do is I'm going to open up  my browser, and I'm just going to open up that   webs that IP address point 1.1 or two, and just  give it a few seconds to load up. As you can see,   there we are, that's made exploitable too. And  it's going to prompt us to select what vulnerable   web app we want to use. In this case, we're going  to select the DV w A, which is the dam vulnerable   web application. So just click on that and it's  going to ask you for your admin and password in   this case for your username and password Sorry  about that, in this case Your username is admin   and the password is password. Alright, so just  hit login, and it's going to log you into the   damn vulnerable web application. Now we'll be  looking at this at a more in a later video. And   the reason is we have to go through all of these  options. But for now, if you go to the login,   just remember where it was, if I can just go  to the security, so to the dam vulnerable web   application security, at the moment, it was high,  because I was actually performing some tests on   it, but just change it to medium or low. But for  now, you wouldn't be using it. I was just letting  
10:31
you know what web application we're going to be  using. Alright, that being said, let's move on   to burp suite. All right, and we can I can start  explaining the spidering process. Right. So let   me just open up burp suite. So I've updated it to  the latest version. I think I'm running Catalina   next now in the previous video, I was running  parrot. So I think there should be an update,   but I could be wrong. So let's just give that a  few seconds to start up yet there is an update. So   I'll do that later. And we'll just click on create  our temporary project and use the bap default and   start that. Okay, so once that starting, let  me explain what spidering is right now the   purpose of spidering is to identify our scope,  alright, or what, what we want to scan. Now this   is not exactly scanning, and we'll be looking at  scanning. But essentially spidering is the process   of mapping out our web application, and is very,  very useful for finding links and and web forms,   which is also very important because it will  allow us to then furthermore, attack the web forms   manipulate headers, etc, etc. Right now, when you  talk about automatic spidering with burp suite,  
11:36
it essentially when when burp is spidering,  it follows links and it will, it will start   following links and it will start identifying for  files, folders and forms from the web application.   And it will, the great thing about this is it will  record all the requests and responses while it's   performing the the old spidering process. Okay,  so once you have a burp suite opened up here, you   can let me just expand it. So we have a greater  picture of what's going on exactly. Sorry, if my   virtual machine is a little bit slow, I need to  configure it correctly. Anyway, what you want to   do is we have looked at the proxy check section,  let's look at the spider section. And in here,   this is a very, very simple menu and to understand  it, you can see that we have two tabs available,   we have the control tab and we have the options  tab. Alright, the control tab. Essentially,   if we just click if I just look, if we look at it,  as you can see, these settings are used to monitor   and control the web spider. So it allows you to  stop to start and stop the burp spidering. And  
12:37
you can also clear the cues. Alright, when you  look at the options, which is right here, sorry   about that, when you look at the options, there  are a lot of options, we'll be looking at them,   I will be looking at them in a second. Sorry  about that, I actually got an email, apologies   that. Let's get started. Now with the control  section. So the control section, it will all   we are able to control the spider status where we  can stop it and started and you know, furthermore,   we can clear the cues that already exists there.  Alright, we then have the spider scope where we   can, we can define our own scope. And depending  on what we want to spider, we look at that in a   few seconds. And finally, we look at the well if  we look in the Options section here, we have the   crawler settings which allow us to specify the way  the spider is going to crawl for the web content   on the web application, we'll be looking at the  maximum link depth and what that means passive   spidering that allows us to essentially spider to  continue spidering when we are looking through or  
13:40
we're going through the web application, we're  performing requests and responses when we're   performing requests. As for the form submission,  this is probably something that we'll be looking   at in the next video and we'll be doing this.  Practically we will be actually performing the   we'll be performing the spidering process. But  for now, let me see what else Yes, the request   headers. The request headers are used to you can  manipulate essentially the headers. If you've   learned about HTTP headers, by the way, I really  want to cover HTTP because it's very important   that you understand how the ad is work. But we'll  be looking at this all in advance. But now let's   start off with the spider status. Well, not really  with the spider status. But looking at the control   tab. If you look at the spider scope, you can see  that you can it will use the default suite scope,   which is defined in the target tab. If you just  click on use a custom scope, you can see that   Okay, first, you over, if you just click on this  little cog here, you can restore the default, you  
14:41
can load your own and you can save the options.  So that's just to do with that. Now when you talk   about using the advanced scope here is where you  can essentially this is where you specify what you   want to map so you can specify a host, the port,  etc, etc. Okay, again, we'll be looking at all   of this as We move along. But for now, we're just  going to use the default suite scope, we can just,   if once you click on that, it's going to start the  spidering process, but we don't need it right now.   So I'm just going to come just going to pause  it. And if we move on to the options now the   Options tab has a lot of stuff that we need to  look into. First and foremost, we have the CRO,   the crawler settings. Alright. So when you're  talking about the basic options, for example,   we can specify what the spider will crawl for.  So it you can choose to select for robots,   the robots dot txt file, which is very important  because it shows you, you know, exclusions,   you then can detect, you can ignore the links to  non text content, you can request the root of all  
15:41
directories very important stuff. But again,  you can customize this to your liking. Now,   one of the things I would recommend that you'd  not touch with, if you do not know what you're   doing yet is the maximum link. That's right, the  maximum link depth is essentially the number of   links you want the spider to, to essentially, to  crawl or to map. Now by default five is in my,   in my, in my situation, or in my case, what I  like doing is alternating between three to five,   anything higher than that will usually overload  the web application, and it will cause it to lag   or to respond very, very slowly. And, you know,  again, that might not mean a lot right now,   but trust me, when you'll actually be performing  the penetration test on the web application,   you really need a good response. Otherwise,  you have your time to live, etc, etc. Okay,   so let's look at what passive spidering is,  alright, so as passive spidering. And said,   is essentially just, it allows you to continue  scanning, you know, or going through, or  
16:42
actually performing your requests how as as it, it  essentially allows you to continue the spidering   process as you're performing any other tasks.  So as you can see, passes by during monitors,   monitors traffic through the burp proxy to update  the sitemap without making any new requests,   right. So passively spiders you browse, you can  also select the link depth associated with proxy   requests now this, I would recommend keeping  it at zero to two. And that's because again,   you do not want a very, very deep alert link  depth in the sense that you're also going to   be performing your own requests, and you'll be  doing many other things you could be looking   at the decoder or you could be looking  at, you could be focusing on the target,   and you don't want it again to to slow  down the web application. Alright,   so form submission. Again, this is something that  I said we'll be talking about in the next video,   because it is quite advanced. And we'll get  started with the damn vulnerable web application   there. Moving on to the spider engine, we'll be  looking at application login as well. But for now,  
17:42
just we'll just keep over that when we talk  about the spider engine. Alright, these settings   control the engineers for making HTTP requests one  spidering. Right. So this allows you to change the   number of threads you want to use. And as I said,  using more than we can see right now it's at 10,   what I would recommend is still keeping it within  the range of two to five are all you might,   you might cause the web application to slow  down. And these are more advanced settings that   you can use dependent on timing. All right,  and we've talked about the request headers,   they allow you to modify the way the spider will  we look towards the web applications, for example,   you could you could edit the the device that is  being used. And you could change it, for example,   into a mobile device and you get the idea you you  essentially allows you to to change the request   headers. And from that, obviously, you'll get  a response back, dependent on what you changed.   Alright, so that was the spidering, or actually  the theory revolving on spidering. Now we'll  
18:46
be looking at how spidering really works in the  next video. I know some of you may not like this   that I actually went through through theory, and I  haven't talked about doing anything. But remember,   it's very, very important to understand what  exactly is happening behind spidering. And   in the next video, we'll actually get  started with the spidering process.   Get started with brute forcing with the rates  or our vulnerable web application of choice is   going to be the damn vulnerable web application,  as we discussed in the previous video, alright,   and I'm going to be using meta exploitable  to as our as my server. By default,   you can install medispa, you can install the damn  vulnerable web application on your Kali Linux,   and you can host it on your local on your local  server. And you can you can then perform your   attacks. But I like running it from another  virtual machine. And as you can see, I'm running   it on the Metasploit able to virtual machine. And  by default, it's connected to my local network   and it's bridged. So you can see that my local IP  address is 190 2.168 point 1.1 or two. Alright, so   I already have the damn vulnerable web application  open as you can see it is running on the that IP  
19:52
address of the meta splittable to virtual machine  on the the damn vulnerable web application. So for   those of you asking why I'm using Metasploit able  to instead of meta splittable. Three, it's because   Metasploit able to has a much larger choice in  terms of vulnerable web applications. And it's   really good for practicing. Alright, so make  sure you're logged into your damn vulnerable   web application, you need the default username  is admin and the password is password. Alright,   it's really very simple. Alright, by default, In  this video, we're going to set our security level   too low. If you don't know how to do that, you can  go into your deverbal web application security.   And you can set that too low, and you can just  hit submit. The reason we're setting it too low is   because most logins Are you know, if you look at  the real world, if you're talking about big sites,   this attack may very well work on sites that  are older, or sites that have not been updated,   or sites that don't have good security, you'll  be shocked to find some really big companies   that actually don't have any login protection,  or brute force protection for that matter. Now,   that being said, what I was talking about is if  we go to brute force, you can see that we have  
20:54
a login prompt here. Now I forgotten the username  and password, and we're going to be brute forcing   it live. Alright, but before we do that, we  need to actually start our birth. Alright, so   start up that suite. And you can see I'm using the  Community Edition. And it is the latest version,   right? So make sure that yours is the latest  version, obviously, for obvious reasons. And   we're just going to start a temporary project  because I don't use the pro version. And we're   going to hit use the birth defaults when you start  work. Alright, give that a few seconds to start   the to start back. And now you want to make sure  you you're using the proxy. So we're going to go   into preferences, and advanced and whoops, burp  is oh opened up, let me just go into my proxies,   network settings. And we make sure that  it's using the manual proxy configuration,   which is the localhost 120 7.0 point 0.1. And  the port is 8080. We're gonna hit OK, excellent.   Now we need to move into burp back again. And  we want to make sure that we go into proxy,   and the intercept is set to off. All right,  the reason we're setting the intercept off,   is because I just want to show you something  first. Now by default intercept essentially just  
21:59
means that you're not intercepting the request,  the requests and the responses being sent from   the web application to your browser. Okay, so  we have already set the proxy for the browser,   but we're not intercepting. So if we just test a  random username like test, and we say a password   like 12345, you can see if I hit login, it's  going to tell me that that is incorrect. Now,   if I set the intercept to on to see the request,  let me just turn it on. And we can now reload this   we can say test and the password 12345. We can  see that now it's for some reason, let me just   forward that after actually just turn that off.  And we now see log in. And for some reason that   is not allowing us because you have to reload.  Alright, so now if I hit intercept on, and whoops,   let me just open up my browser and hit the parcel  1345. Log In. For some reason it's going to,   it's going to slowly reloading here. I probably  there we are. Alright, so I've reloaded the page.   And as you can see, now the intercept is on and  we go back to burp, you can see that we got the  
23:04
get request being sent by the web application.  Now let's inspect it for a while now we'll be   looking at what all of this really means but by By  default, the most important thing right now is the   get request. Alright, so you can see that the get  request has two values here. It has the username   and the and the password. Now the values again are  not important we're going to be brute forcing the   values but it's very important to get the fields  that we're using here. Now what am I talking about   if you look at the cookie you can see the security  is low. And if you were to edit the value and for   the package, you can set it too high that is basic  stuff that's good stuff right? But now we want to   brute force this login. Alright, and how do we do  that you can see the first thing we need to do is   we're going to be using the intruder alright so  if you're a bit confused about what the in today's   Don't be worried intruder is essentially allow  allows us to edit the parameters, it allows us to   edit the requests and then obviously edit them and  manipulate them so we can get the desired results.   Now the great thing about there in the intruder  is it allows us to perform attacks like the brute  
24:06
force, etc, etc. Alright, but now what we need  to do is we need to send this request into the   intruder so that we can send our own response.  Alright, so we're going to right click and send   to intruder. So we just send it to intruder. And  once it's sent to the intruder, you can just hit   forward. Alright, we don't need window, we don't  need that GET request anymore. So now you want to   go into the intruder and you want going to your  positions. And as you can see in your positions   you have got you have got the get request that  we were we just intercepted. And now you can   see something really interesting. It's highlighted  for you all the different payloads. Okay, all the   different fields that we can brute force for. By  default we have the username value, the password   value, the login value, we have the F the SF ID  value, we have the the cookie value, no No, no,   we don't need all of these The only values that we  need The username and the password value. So the   most important thing you need to do right now is  you need to clear just hit clear. Alright, oops,  
25:07
sorry, not that clear. I beg, I beg your apology  there. I sorry, I didn't mean that what I'm trying   to say is I'm sorry, just clear, just hit clear.  And as you can see, now, no values are being   selected to be brute force against. So now we need  to select them manually. But before that, we're   going to be using the the cluster bomb attack  type. Alright, the reason we're using the cluster   bomb attack type is because we are going to be  using two values, we are brute forcing against   two values. Remember that, okay, and these need to  be set in, in combination. So that means it's much   better to use a cluster bomb because essentially,  you're clustering to values that need to be that   need to be tested against the login, the login  application, or the login form together, alright,   so in a combination, so we need to select cluster  bomb. And now we need to select the values because   those are the those are that is what we want to  brute force again. So just highlight the value,   it doesn't matter the password or the username  is just highlight it, and you want to hit Add.   Alright, so just hit Add. And as you can see,  we have selected that, you know, going to the  
26:09
password, and you want to highlight that as well.  And you just want to add that, as you can see   now once you have added that those are the two  values we're going to be brute forcing against,   make sure that none of the others are selected  none of the other values. Once that is done,   you're you're almost there now. Now you want to  go into your payloads. Right now in your payloads,   you want to make sure that your payload set is set  to two, which is your username and your password.   So let's start off with your payload set as  payload one, all right as your payload type,   make sure that that is a simple list. Because  you can see we were only targeting usernames   and passwords. So we don't need, you know, a  runtime file, or we're not changing anything,   you know, dependent on Unicode etc, you get the  idea. Okay, so simple list. And now you're going   to your payload options, which is where you select  your user list or your password list or your word   list. Now, we're not using a word list. But if  you want to, you can if you're performing this   on a real site, which I don't recommend unless  you have written permission. Now since we're   using this in our penetration testing lab, we are  going to just add the default usernames and said  
27:12
the security of the site is low. And it's not  really a complex a brute force to crack. Okay,   so what we want to do is, we want to make sure  we have set payload set to one, which is going   to be for our usernames. So now we can go into  load where you can load your default usernames   and your passwords or your word lists, but by  default, we're going to add our own Alright,   so we're gonna say, whoops, we, for some, we're  just gonna say, we're going to type in a now like   the commonly used usernames, alright, so something  like admin, administrator whoops, for some reason,   actually, let me just remove these blank values  there. admin now administrator, administrator, let   me just type that back in. administrator, like, so  administrator, for those of you telling me that my   typing is bad. That's because my microphone  is right in front of me, and I can't really   see what I'm typing administrator. Let's see what  else what are the default ones like we have root,   we have password. Actually, we're not setting  the passwords right now. So we can just type in  
28:14
the default ones like this. All right, so we can  say test, you know, the default ones, user one,   whatever you think could be the most commonly used  ones, okay? Or if you know what the username is,   that is even better. So we're gonna add all the  usernames. Alright, so we've added the usernames   that we want to use. Now by default, again, I'm  saying you can use a word list if you want to just   go into load and select the word list. Now we want  to select our passwords, right? So we can go into   the payload set to. And as you can see, now we  can add our own values. Now we can use the default   word lists that come with Kali Linux. So if I go  into my root, and I'm going to use them, share and   reselect word lists, let me just find where word  lists are. If I can find them, there we are word   lists. And they are the ones that work great for  me in the Metasploit folder. And you can look for   the default passwords. As you can see, you have  your database default passwords, you have your   default, user password for services, that's also  great. It has a great list of of default usernames   and passwords that you can use. But for me, I'm  not going to use this because we are sticking  
29:15
to the basics. And now you want to add your own  password. So we can select again, some randomly,   you know, commonly used passwords. So pass, you  can say password. Let's see what else admin, you   know, admin again, whoops, let me just remove that  one admin. Route, you can use route. Let's see,   let me think 12345. That was the one that I've  seen many network administrators using 12345.   And you get the idea. All right, so we've set our  two payloads. payload one is set for usernames.   payload two is set for passwords. Excellent. All  right now, we have selected our payload types we   have selected we have added our payload options.  We don't need to look at payload processing that   is advanced once That's done, what you want to  do is going to intruder and start the attack.   Alright, and now it's going to tell you that the  Community Edition of burp contains a demo version,   but it's essentially telling you that the process  is going to be slow. Alright, so we're gonna hit   OK. And it's going to start at the attack. As you  can see, it's going through all the combinations.   And as you can see, the combinations that we  have here are 25, and is going to go through  
30:20
all of them. Now, one great thing that you need to  do here or one important thing that you need to do   is you need to understand the the the status codes  that the server or the web application is sending   back. Now, that's a good way of, of understanding  what password is correct? And what what username   is correct and what password is not correct.  Okay. So if we look now, at the, at the results,   as you can see that it's finished, it's going  through the brute force attack, we check the   status, the status is still the same, we have a  status to 200. If we look at the length, right,   the length is going to be still the same. But you  have to look for things that are not that are not   matching. So for example, you can see that the  length here that was returned was 4948. And it's   not, it's not following the format of the others.  So that means that this could be the username   and password, don't worry about the status, the  status will still remain the same, regardless of   that. But when we'll be looking at Advanced Server  penetration testing, that's something important.   So you can see that the get that we've got here is  very important. Now if we look at the if we look  
31:25
at the response that will be sent. Right there,  you can see the response. And if we render it,   you can see that if it was successful, it will  tell us that we've logged in successfully. So let   me just browse down all the way as you can see,  welcome to the password protected area admin.   And there you go, that is the username and the  password is admin and password. Now again, this   was really simple. Again, you can you can increase  the security if you're practicing on your own. But   you can see that this really works. And this is  how to utilize burp for advanced stuff like brute   forcing. Now again, most of the advanced websites  nowadays have great content management systems   that have the security plugins that essentially  prevent you from brute forcing or lock you out.   But most of the oldest sites, you'll be, you'll  be actually quite shocked to find out that they   are brute forces, they are log informed sorry,  are not protected. Now we've already logged in,   and you can see that the default username is  admin, and the password is password. Okay, so you   can look at the role. The raw HTTP here, you can  look at the request and the response. Or you can  
32:29
look at them and you can inspect them, if that's  what you do. And you can look at the headers,   what's being sent, all that good stuff. But that  was going to be it for this video. And now if we   just go back into burp, let me just go into my  proxy. And I'm going to disable intercept. And   we can try and log in here. So we know that  the admin username is admin and the password   is password. So let me log in. And welcome to  the password protected admin area fantastic.   In this video, we're going to be looking at  selecting our verbs with our target in web suite,   adding it to our scope, and then finally spidering  it as my vulnerable operating system, I'm going to   be using the Matilda de which comes pre installed  on Metasploit able to so you should download Well,   I would recommend that you download Metasploit  able to, it's a fantastic option for any of you   who are just getting into penetration testing  offers multiple vulnerable web applications   and vulnerable systems that you can practice  with. So again, it's something that I really,   really recommend. That being said, as you can  see, I have made exploitable to virtual machine  
33:36
running. And I have already looked at my local IP  address, you can do that by typing in if config   that will display to you your your current network  interface and your local IP address. Because we   are doing this in our virtual penetration testing  lab. Alright, so let's go back to Kali Linux now.   And I'm going to open up my browser, make sure  you get your IP address. And as I said, again,   we're going to be using motility. So if you don't  know what Mattila day is Mattila day is simply a   vulnerable web application. And the reason I'm  switching I'm switching from the damn vulnerable   web application is because I want to show you  a few, I really want to make it a bit diverse   in terms of the web applications that we use.  Alright, so let's get started now. Now I already   have the IP address of my virtual machine opened  up here in my browser, as you can see, 190 2.1   68 point 1.14. So if I reload this, you can see  that it indeed is the meta splittable to server   and I can just go ahead and click on Mattila  day. Alright, now what I should do now is go  
34:38
into my preferences, you can do that by opening a  new tab. So let me just open a new tab here going   into preferences, and then selecting advanced and  network and finally settings. And then you want to   make sure you select a manual proxy configuration.  And then make sure it's using the localhost proxy,   which is wondering 7.0 point 0.1 Port 8080 and  hit OK. Once that's done, we know that burp suite   can intercept. Not that we want to do that in this  video, we just want to, we want to have a look at,   we want to map the web, the web application.  Alright, so we're not going to change anything   in Mattila day. But I'm going to be showing you  some pretty interesting things in this video.   So now we should start up burp suite community.  Now I'm going to be explaining something at the   end of the video that is really important. And it  is in regards to the community version, and the   professional version of burp suite and what what  the differences are and why you will need at some   point to get the professional version. Okay, so  I'm going to select a temporary project, I'm using  
35:40
the community version as of right now, hit Next,  use the bird default, and I'm going to start up.   Alright, so it's going to start burp suite. And  let me just minimize the browser here. So give   that a few seconds to start up. And once it starts  up, what you want to do immediately is turn off   the proxy, we want to stop in the intercepting  because we are not intercepting any requests,   or we are not inserting any responses. So go back  into your target. And now we can get started with   with actually reloading the page right here. So  let's reload that. And we should be able to see   what's going on. And we should have the sitemap.  Alright, so let me just open up the burp suite   here. Fantastic. Alright, so now you can see  something very interesting has happened here.   In our target. And sitemap, we have the files that  were discovered here. Well, essentially, we have   the web server that then has the modality folder,  which is our target. Now before I get into any of   that, the site map will show you the current  site map. Obviously a site map is essentially  
36:43
sorry about that a site site map is essentially  the structure or the format of the webpage,   and how the web page was constructed and how it  will function in regards to every other piece of   content. Okay, so the first thing that we need to  do, or we'll be looking at is actually selecting   our target, which in this case, again, is Mattila  day. And you can do that by right clicking and   hitting add to scope. All right, so you might  be asking what exactly the scope means? Well,   a scope essentially allows us to define our  automated spidering. And what this means is   we are focusing our only on our target, we're  not going to focus on the reference links,   like you can see here, for example, we have to  it as a reference link, backtrack, dynamic drive,   Eclipse, etc, etc, you get the idea. So scoping  is essentially selecting our target, isolating it,   so that we only see what we need to see. And  the obviously the results that we want to see.   So I'm going to right click on Mattila day,  and I'm going to hit Add to scope. Alright,   so now it's going to say you've added an item to  to the target scope, do you want that proxy to to  
37:46
stop sending out scope items out of scope items  to the history of the other bedtools? Yes, again,   we want to make sure that we are we clear out all  the junk that we don't need. Now you might have   noticed? Well, that's essentially happened, but  nothing is really changed. And as you can see,   it's gonna tell you here logging of out of scope,  proxy traffic is disabled, don't worry about that,   just leave it as it is, if you want to re  enable it, you can go ahead but right now you   don't need to do that. Okay, so we've looked  at how to add our target to the scope. Now,   let's look at spidering is essentially the  the first and the most important step of web   application penetration testing. Alright,  it is it deals with or it is in it is in   relation with footprinting. And this is why I  bring the comparison from penetration testing   to obviously web application penetration testing  it is to deal it essentially deals with crawling   through the website. And then it records all the  files, the links and the methods and the methods   that it can get. And that helps us build an idea  of how the web application is structured, how it  
38:49
works. And then finally, we can learn how we can  break through it. What we need to do is we need to   spider our target. Well, we have added it to the  scope, which is great. And now we need to spider   it. So what we're going to do is we're going to  we're going to use spider and this will help us   identify all the links and the parameters that we  need. Again, as I said, it's like footprinting. So   what you want to do is right click on your  target, which in this case is Mattila day,   and you want to spider this branch. Alright,  so I'm going to spider this branch. And no,   something interesting is going to start happening.  As you can see, it's going to start getting all   the links all the resources that it can, and it's  going to prompt you with here a submit form. Okay,   now, what you can do is just ignore the form,  there'll be quite a few essentially, these are   default login forms where it's asking you to  enter credentials that you might want to enter,   let's say you, you're performing whitebox, then  Richard testing and you have the details. You   can again log in like this and perform internal  penetration tests. But we're going to assume   that you're you do not know your penetration,  you're essentially performing a penetration  
39:50
test on the security. So I'm going to ignore  all of these forms. Okay. And as you can see,   there's another one right there and the spidering  is probably continuing. Now if you want to view   the status of these By doing, you can go into  spider. And as you can see you have the status   of the spider. And once it's done, you will see  that the requests made will stop changing. And   the bytes transferred, will also stop changing so  we can stop the spider. Now you noticed something   that we were faced with those are form login  prompts. Now, you can choose to enter them as   a prompt or as you're prompted, but the better  way of doing this is to actually you actually do   this automatically. And you can do this by going  into spider. And you want to go into options,   and you want to go in to your application login.  Alright. Now, if you look at the form submission,   it is essentially what it's doing is is going to  use the default form submissions that you would   find in a database. So for example, we have male,  first name, last name, surname, name, address,  
40:51
you get the idea. So those are default values  that one would, one would be expected to find. Now   we're looking at the application login. As you can  see, its option is set to prompt for guidance, we   want to change this to automatically submit these  credentials. Now in here you can enter default   credentials. Or if you have an idea of what the  credentials you might expect to find. Now, this is   where creativity and sheer information gathering  comes into play. So if you need a new the default,   you know, usernames and passwords, you can enter  them here. Now what I'm going to do is I'm going   to enter a string that is, well, I've used it  before in performing SQL injection, and we'll talk   about SQL injection because it is very advanced.  If you know SQL injection, or you have you have   an idea or experience with the databases, you  might understand what this string means. Alright,   so for my username, I'm going to change that to  admin, quotation mark and say, or one equal one,   and two dashes. All right space and a dash. Now  you don't need to worry what this means for now,  
41:54
please do not stress about this, I will explain  it when the time is right. All right. So leave   the password as it is. And don't worry about that.  Now, we had, we don't need to change anything in   terms of these tabs, we talked about these tabs  in the theory section. And now we can go back into   our control and target. And finally, we can spider  the application again, once more so that we can   enter the we can essentially process the strings  that we that we just entered in terms of the user   name, so I'm going to right click and spider this  branch. Okay, so it's going to start spidering.   And if we look at the spider, you can see that the  the spidering is complete. And you can essentially   clear the cues if you want to clear the clear them  like so. And you can keep on running it depending   on what you want to do. Okay, so I'm just  going to pause it. And now we have essentially   spidered the web application. And you might be  asking, well, I've seen a few reference sites,   that's not helping much, you know, we don't need  twitter.com or you know, sizzle js, this might   give us a basic idea of what types of sites are  linked to to the web application. But in reality,  
42:59
you can see we have hackers.org not not very  important information at all. Now, what if   we click on the Mattila day folder? Oh, look at  that. That's really interesting. Now that is very,   very important. What has happened here is it's  given us the structure of the web application,   this is vitally important. All right now, again,  as I'm saying, you can look at how the website   or the web application is structured. So in  documentation, you can see you can go ahead   and read the documentation, you can look at  the images that the website has the styles,   so you can inspect the entire site and understand  what exactly is going on here or get an idea of   what the person who developed the website was  thinking. And then finally, out of experience,   or as we'll be looking at out of knowledge, you  can actually understand how to exploit the system.   And that we will be talking about discovering  hidden files, hidden files, like admin pages,   login pages, you know, that really juicy stuff.  And we'll be talking about that in the next video.   And that's because that sweet Community Edition  does not support or have allow you to use that  
44:02
feature. So what I'm going to do in the next  video, I'm going to be using burp suite Pro,   and also show you an alternative program. I'm sure  you've heard of it. That also works on Windows.   Of course, that's how it works on Windows. But  I'm not really a Windows fan when it comes down   to penetration testing. So that being said, we  have essentially spider the application we have   the structure of the web application. And now we  need to look at something also very interesting   as we have already talked about it. Let me just  complete. Let me just show you how to get rid of   all of these reference links and to essentially  show the items in the scope only. So what you   can do is just click on filter right here, this  little bar here is the filter bar. So click on it,   and it's going to show you bring up this smaller  window and you want to focus on the filter by   request type and make sure you check show only in  scope items. This will essentially filter all the   results to show you only links or resources or  files that are within the scope. So once that's   done, just click back on the filter. And as you  can see it has got rid of all the junk that you do  
45:07
not need whatsoever. And now you can essentially  look at the, the requests and the responses and   analyze them accurately defined to your scope. And  this will essentially, it will stop confusing you,   I've seen many beginners make this mistake where  they don't define the scope. They do not know   what the target is, and they're getting links that  are not even relate to the website that they're,   they're trying to perform the penetration test  on. Now, since you know this knowledge, this   will help you get a solid foundation. And again,  you can start logging out of skip out of scope   proxy traffic when you want. Again, that's very  nice that they add that button right over there.   Alright, so now you only have the files that  you require, or the files that you're currently   performing the penetration test only. Now I know  this, this video was slightly, there was not a   lot of action. But again, it is very important  that you get this in the next video, we'll be   looking at how to how to discover hidden files  or files in general that you are not supposed to   find. Okay. And that can be done by right clicking  and going into engagement tools. As you can see,  
46:09
it is defined to the professional version of burp  suite. And we will be going into discover content   where I'll be explaining to you how to find  things like the login page or the configuration   page. Some things that web developers, you know,  actually just may try to hide them. But if it's   actually found, can really exploit the website  or can lead to the exploitation of the website.   We're going to start looking at how to discover  hidden files. But before that, I just want to take   you through a few things. Alright, so let's start  off with what OS base or o w SP. Alright, so what   does that mean? Well, essentially what it means,  or what it stands for is the open web application   security project. Alright, and its goal. Well,  essentially, it is a nonprofit organization   whose goal is focused on improving the security of  software. All right, so its job is to improve the   security of software. Now this project, the O w  SP, or the open web application security project,   created a tool called as the Zed attack proxy. Or  as you know, it the zap, many people like calling  
47:18
it zap. And I'm sure most of you have heard  of it. And you might have been, you might be   leaning towards burp suite a little bit more. But  I can guarantee you that zap is one of my favorite   tools. And I use it because firstly, it's free.  And for the people like for the students I teach,   I usually tell them to start with zap because if  you get zap, you'll automatically get burp suite.   And you only need burp suite when you're moving  into an enterprise environment where you know,   burpsuite is the recommended tool. And it is the  tool that you must use to adhere to certain rules   and ethics. That being said zap is a fantastic  tool. It's absolutely free. As you can see the   old w SP Zed attack proxy proxy, which is,  you know, abbreviated as zap is one of the   world's most popular free security tools and is  actively maintained by hundreds of international   volunteers, right. So it helps you find security  vulnerabilities in your web applications while   you're developing and testing applications. So  again, if you're a web application developer,   this is also a fantastic tool for you. And as I  said, it's going to be a fantastic alternative   to do burp suite. All right now that's not  to say that burp is bad. burp is more of a  
48:25
enterprise an enterprise developed software.  As I've mentioned in the for the first video   of this series, burp is focused on professionals.  Now that's not to say that zap isn't, but you'll   get the idea. Alright, so I'm going to be making  a separate video on installing zap and I'm going   to make a video on how to get accustomed to the  interface because it is slightly different. And   the language or English used for the interface is  again very well obviously very different but it is   quite different. So again, getting used to it was  also something that is quite helpful because we'll   be needing some of the enterprise features and on  only a tool like zap will be a great alternative.   However, if you do have burp suite Pro, go ahead,  it will it will just be the same thing. As I   mentioned in the previous video, it's really  very easy to to follow up where we left. Okay,   that being said, it runs on the same network  proxy, it runs on the localhost. So make sure   you're running it on the localhost and on port  8080. I'll be showing you how to change the port   if you so feel you want to. That's also another  great thing about us as AP is it allows you to  
49:30
change the proxies. So I have Mattila day opened  up here and it is again running on my Metasploit   able to virtual machine and it's running  on the IP address my local IP address 190   2.1 68 point 1.104 as you can see Mattila day.  Alright, so that's working perfectly. So let me   just leave those other tabs open because again,  there's no there's no real harm. Okay, so, again,   you can configure the material at a security level  if that's what you want, you know to do to make   things harder. But I'm just going to be showing  you the focus of this video, which is how to find   hidden files. Now, you might be asking, why do  we need to find hidden files? Or why do we need   to discover these hidden files or hidden files?  Firstly, are the files like admin login pages,   you know, maybe a robots dot txt, but that's not  really something that's hidden nowadays. It could   be a txt containing maybe usernames, you know,  something really weird, or, you know, pardon   my English or pardon my language, something dumb  that the web developers left behind, or, you know,  
50:33
just not configured correctly. And you'll see  what I mean in a few seconds. All right. So again,   these are the files that are hidden, and  you will not find them after spidering,   your web application or website. Alright, so let's  get started with zap. As you can see, I have the   logo right here on my it's added to my favorites,  let me just launch it, give it a few seconds, and   it should start up. There we are, the zap, give it  a few seconds again, and make sure you update it   usually the updates for the modules very, very  regularly. So make sure you update them to the   latest version, as they improve the speed and so  on and so forth. Alright, so it's going to prompt   you here, do you want to persist the substation,  that means Do you want to save this app session,   I don't, I do not want to persist the session at  this moment in time. So I'm going to start. Again,   don't worry, if you're not familiar with the  interface, I'll be going through it in another   video because it deserves Now you might be a  little bit overwhelmed. But do not worry, do   not stop going to you know URLs to attack that may  seem really really tempting. But again, you know,  
51:34
let's take it nice and easy. So let's talk about  the proxy, how to change the proxies. So to do   that, you can go into your cog right here, as  you can see, or you can go into tools and go   into options. Alright, but I like going into this  little cog here. And once you press on, once you   click on the cog, let me just enlarge that, you  will see that you have this huge menu. And again,   as I said, zap is a really advanced tool, and in  some cases can totally replace burp suite. Now,   looking at the proxies, you want to go for  the local proxies right here. It's obviously   starting with L. So local proxies, and make  sure that the address is hosted on localhost.   And you can change the port if you're using burp  suite and stuff, like you're just using both the   applications at the same time, or you're running  something on localhost already. So you can change   it to something like 8081, whatever you feel  is comfortable for you. Okay, so that's how to   change your proxies. And if you're running the  ad net, you can also go check this and that you  
52:35
should be good there, if you don't find that the  proxy is working. So just hit OK. Alright, now,   you see that there is no draya We are not going to  be looking at intercepting right now, but we will   be looking at that in a few in probably the next  videos, the advanced videos with SAP. Alright,   so let me just reload the material a page. And  as you can see, I'm running the proxy. So I'm   just going to reload the page. And as you can  see, we are not intercepting actively. So Whoa,   what's this? Well, we got some files here. Let me  just reload the page one more time. And there we   are, we are getting some results. So we get the IP  190 2.1 68 point 1.14. That's the server and if we   just click on this drop down here, we get request.  So you can analyze the get request. If that's what   you want, you can right click, and then analyze.  All right now will we not be looking at that right   now because I want to focus on finding the or  discovering the hidden files. So what we'll do   is we want to click on the utility folder. Now one  of the great things I like about zap is it already  
53:36
gives you the file structure or the website  structure immediately here. Alright, so again,   so you have your images folder, which has it,  the images there, you have JavaScript styles,   and your all the resources in regards to the  website that it could find naturally. Alright.   So if we, if we just look at the bottom here, you  can see that it it's showing you a timestamp with   the method that the URL, and it gives you the  the code which means the pages in this case,   the 200 code means the page was found, you have  the reason you have the RTT, the size, the alert,   as you can see, it's telling us we have a high  alert here. Now don't worry about that. Again,   these are things that you know will be will  really be tempting, but again, let's take it slow.   Alright, so the first thing you want to do or you  need to do is to right click here, and you want to   go to attack and hit spider. Alright, so we want  to spider the website or the web application and   start scan Do not touch anything here. Just make  sure it's using the appropriate server address  
54:39
and just hit scan. Right now it's going to spider  the entire web application and it's going to give   you a little progress bar here. You can pause  it or stop it which is also great to see at the   bottom you should have also noticed that you have  your tabs here that work really really well. And   as you can see the the website now is completely  spidered. And if we just check all the files that   we can find now you can see that we have some more  JavaScript files. And essentially what's happened   here is the entire site has been, has been  spidered. Okay, now we already did this with burp.   And the you know, you've you're probably really  bored of this right now. So what we're going to do   now is we need to, we need to start discovering  the hidden content, right. So let me just close   all of this up. There we are. Fantastic. Now,  let me just open that up. And let's go to Mattel   today. Oops, my bad Sorry about that, guys.  And we want to right click on Mattila day,   and you want to go to attack and you want to go  to first browse directory and children that's very  
55:39
important. First browse directory will not display  everything, we'll also be looking at fuzzing,   but that's for later. Alright, so you want to make  sure you hit forced browse directory, just click   on that. And it's going to open up this tab here.  So you can see we are despite the tab open, which   you can close read if you're not using it, which  is also great. I really like the management of   zap, you then have output for your outputs alerts.  As you can see, you have some alerts here that   will alert you on some potential vulnerabilities.  So for example, APPLICATION ERROR, disclose,   you have some cookies, a noise GTP flag. So again,  awesome stuff there. We have to get requests,   all that good stuff, which is again focused on a  different type of attack. And as you can see, by   default, we've got the robots. txt here, which you  can analyze if you want to, by clicking and going   ahead and doing that. So you can copy the URL to  the browser. So again, copy the URL to clipboard,   alright, and if we just try and explore this,  let me just paste and go here. As you can see,   we're for some reason, we're not actually getting  robots to txt. Let me use the motility date. Till  
56:44
today, or actually, you know what, let's not do  that right now, because I really want to stay   on topic here. So I'm just gonna go back into  that. Again, I always love going off topic,   fourth topic for some reason. Okay, so make sure  you click on motility and you want to right click   on it. And now Oh, sorry, we already did the  first browser, right click, go to attack and   first browse, directory and children. Alright,  now it's going to open up this tab here. And   it's going to, it's going to make you choose the  site. As you can see, you have your site IP here.   Now you need to select the default directory  list to it's going to use this list here, this   default list that comes already with zap. And now  it's going to try and use it in a sort of a brute   force way to try and detect the hidden files and  folders. And once it gets the result, it's going   to enumerate them. Okay, so now you want to right  click again on it, after you've selected the list   and hit attack. And you want to go to force browse  directory and children. And once you hit that,   it's going to start the process. Now again, this  is going to take a long, while not a long time,  
57:46
depending on this the size of the website,  if the site is huge, then again, it's gonna   take a while. And as you can see, immediately  we're getting some submitted files. So let's,   let's wait for this call to complete. And I know  motility has some very, very interesting files   here that I'm sure will be happy to get. Alright,  so just let it go through this. As you can see,   you can check the progress as you're going here.  And again, the the if you look at the status code,   you can see 200 means the pages were found. So  you can just go ahead and look for things that   are irregular. And I'm sure we can find something  here that we haven't found before. Or you can   look at the at the file form the website directory  here. So um, Mattila day, let's see if we can find   something that is really, really interesting year.  So we have the includes we have the get index of   PHP, we get regressed, sorry for the index dot  o we have something interesting here we have a   notes folder. Aha, now we're talking now this  is where stuff gets really exciting. Alright,  
58:50
so we have whoops, where'd it go? There we are.  So in notes, we have some very interesting files   in notes. So we have a get passwords. Now  what happens? What's this about? Alright,   so what if what what if we just open this URL  in the browser? Alright, so let me just try and   open that in Firefox, I just want to see what  it's going to be all about. So hopefully, it's   opened up in my browser. If it's not, I'll have to  copy the URL, probably because I haven't set any,   any default. Alright, so copy URLs to clipboard.  And let me just paste that in there, paste and go.   There we are Mattila day and passwords. Alright,  so you can see that this folder or this file was   hidden. And we have an interesting txt file here,  which again is quite scary to go we did open   Firefox. Well, don't doesn't look like we need  that instance. So getting back to the topic here,   for some reason, process unexpectedly closed  with. Alright, so that looks like we have a   Java error there. So let me just go back in over  here. So again, we found an accounts dot txt file,  
59:58
what could that be? be caring. Let's click on  that. Oh boy. So again, we have accounts here.   And well, I'm pretty sure you will know what this  means. This is just bad practice from the website   developer, where he wrote notes. And essentially,  these are the accounts. Now let's see what else we   can find. Let's see accounts. Nothing interesting  in accounts, because we now have the account. So   that makes our brute force much easier. You then  have, let's see if we can find any passwords if   they were ever saved here. I'm pretty sure they  are not. But we can also look for some interesting   files here. That can be really interesting. Or you  can look at the sitemap if you want to. So let's   also copy that. Let's see if it gives us access to  the sitemap also very, very important stuff there.   Oh, yeah, so the sitemap, for some reason, we were  not able to process it. Alright, let's look for   some other files here. Let me just open up Mattila  day again. So we have the get images. Let's see if  
01:00:59
we run the get images. Let's see what images we  can get. Again, I'm going pretty amateurish on   this. I'm just clicking on everything. But I'm  just trying to show you the amount of files that   you can find, as you can see, immediately, you  can find that the refresh button, you know all   the icons related to the website. You have the  I hack banner. Oh, yeah, hackers for charity,   man. So I'm talking about YouTube. Oh my god, what  an old logo that is the older BSP logo. Pretty   cool. Pretty cool. And yeah, so you get the idea.  So this is how you actually go through website   and find files that could contain you know, stuff  that is quite interesting, to be honest. So let's   see what else we can find. I'm just going to go  to one more resource here that we've found, oh,   we have to get register out. Now. That's what I'm  talking about copy URL to clipboard. It's actually   it's actually quite fun. This why bug bounty  hunting is? Oh, yeah. Now this is what I'm told   we can actually register. We can actually register  ourselves on the website. Now again, looking at  
01:02:00
the website from here, it doesn't look like we  can. Can we even register on this website? Not   sure we can. For some reason, it's not actually  letting me scroll to the top. But hey, I don't   really know what's going on there. So let's see  if we, yeah, we can definitely log in render and   register. Sorry about that. We can register there.  So yes, it is the register. It does exist. So that   wasn't actually hidden. But it was hidden. It was  hidden to the women when we spidered the website.   So that means indeed, it was hidden, for obvious  reasons. Because the brute force for example,   if you find the login, which is again here,  and again, if this is hidden, you can imagine   the the damage that you can do so again, you can  log in from there. Set up database, whoo. Now,   that's interesting. For some reason, it's not  letting me copy. Alright, so looks like we got   set up database here. So yeah, we can Okay, I  do not want to manually edit the request. No,  
01:03:00
I do not want to manually edit the request. For  some reason my keyboard is being pressed here.   While that's we admin, copy heroes to clipboard.  All right, sorry about that my spacebar was being   mashed on by my tablet in front of me. Right.  So let me just there we are on. So no PHP MySQL   errors, were resetting. So essentially reset the  database, and you can see the damage that this can   do. So again, that is some good stuff that you can  have fun with, when especially with Mattila day,   you can increase the security and find what other  files you can, you can find, you know, with zap,   again, zap is a fantastic alternative that you can  use. If you know if you're not ready to invest in   burp suite, that's totally fine. I used zap for  I think about three years, especially since 2014.   I think I used it in till about I think 2016 or  17. I'm not too sure. And it worked great for me,   I really enjoyed it. And I'm just getting back to  I'm just remembering all the tools used to work,   it was actually quite a user intuitive  interface. Because I just remember right  
01:04:04
clicking means you can copy the URL, you  can inspect it, you can change the request,   you can attack all that good stuff. And you know,  it's sorted out really, really well. Alright,   and you can look at the requests here,  you can change them to whatever you want,   and then send them you can intercept them. So  it essentially does whatever but a suite does.   We're going to be looking at web application  firewalls, or waafs, as they're called. Now,   this may be a new term for you and do not worry.  This is now when we move into a more professional   level. And again, this is what I've been talking  about is most people out there or most documented   documentation out there won't cover the most  important industry standards. You know, now when   I'm talking about web application firewalls, what  I mean is, is these are the protection or these   are the mitigation procedures. put in place to  protect a web application from attacks, obviously   now as a penetration tester, or if you're  looking at it from a white hat, or a black hat   perspective, from wider perspective, it's always  important to have a web application firewall. And  
01:05:13
I'll probably make another video showing you how  to set it up, it's really easy, and it's free,   and it will probably removed about 20% of attacks.  Okay, so that's if you're a white hat. Now,   if you're a black hat, and you're targeting, or  you're performing a penetration test legally on   a website or web application, we usually what  the employer will tell you is they'll give you   a scope of the project. And again, they might give  you the source code, etc, etc, you get the idea,   you have your white box, testing, black box  and gray box. But coming back to the firewall,   most of them will know that there is a firewall.  And that's because the person who set the website   up for them in terms of hosting, or the web  application for them, will in most cases,   on a professional level, have a web application  firewall. Now you might be a bit confused. And   you might be saying, Well, why is this important  when performing a penetration test? Well, this   is important because firstly, it's something that  most pen testers overlook. And if you know this,   you've got an ace up your sleeve. Alright, so  essentially, what's happening is if it's being   used, if a web application firewall is being  used, you obviously first need to detect it.  
01:06:19
And I'm going to show you how to detect it in  this video using a special tool that I don't   think you've ever heard of. But it's also industry  standard. So this is a real secret, I don't know,   for some reason, it's not just, it's something  that just hasn't caught up yet. But hopefully,   after this video, you'll know about it. Alright,  so essentially, the purpose of a web application   firewall is it protects the web application, you  know, from a firewall point of view in the sense   that it blocks attacks, as one would expect them  to come. Now what does this mean for you? Well,   this means that you will need to, you will  need to manipulate any type of data that is   going to be encoded, alright. So what this  means is, if you're, if you're performing a   penetration test that involves you manipulating  data and sending it back to the web application,   then you need to encode it in a specific way to  bypass the firewall. Otherwise, it will be blocked   by the firewall. And I'm sure most of you have  actually done this before. If you're just amateur   penetration testers, and you've just begun, you'll  find that for some reason, your requests aren't  
01:07:22
being processed. And that's because they've, there  is a firewall set up to prevent these malicious   requests from being processed. Okay, so again, web  application firewall is really, really important.   Now, looking at the tool we'll be using, the tool  has actually a very, very funny name you for some   of you might find it hilarious, it is called wolf  wolf. Now for those of you who have heard of it,   you pretty much already know how to detect a web  application firewall, but it's really very, very   simple. Alright, so just open up your terminal.  And what you want to do is you want to type in   wolf wolf. Alright, so this is how it is going  to be spelt. So it's worth Wolf with a tooth with   two zeros. And the syntax is pretty simple. If I  just hit enter, as you can see, we're forth a web   application firewall detection tool. Alright, so  credit go to the author, it's actually it's a tool   that's been there since the, I think almost the  last version of backtrack and the first version   of Kali. So again, quite an old tool, I when I say  old, I mean, you know, I mean that with respect,  
01:08:23
given the fact that it's a really, really useful  and I've used it a lot because it saves you a lot   of time. And what I'm talking about is, so let's  say we want to scan a website, okay. In this case,   I have my WordPress server running here. And as  you can see, it's the site is being hosted on   190 2.1 68 point 1.11. Alright, so I have that IP  opened up in my browser. And as you can see, it's   a WordPress site. And this site is vulnerable.  And this is what we're going to be performing   later on the penetration tests on. But for now, we  want to find out whether it has a firewall. Now by   default, I know it doesn't have a firewall. But  let's see what we're for Fidelis, alright, so the   syntax is very simple. As you can see, you just  type in wolf Wolf, and you enter your URL or your   URL, so you can enter as many as you like. Okay,  so I'll give you an example of how to go about it,   make sure you enter your HTTP or HTTPS protocol.  And we just, let's try that out. So Wolf, Wolf,   and we specify our protocol HTTP in this case, and  the IP address 190 2.1 68 point 1.11. All right,  
01:09:29
now in this case, I'm pretty sure that it  won't detect any web application firewall.   So let me just hit Enter. And as you can see,  no web application firewall detected by the   generic detection. Alright, now this is very,  very advanced. And this tool is an industry   standard. And if it does tell you that there is  no web application firewall, then by all means,   I can guarantee that it will it does not have  a firewall. Now let's look at one of my sites   that I currently own. It's a site that I use. It's  actually My web development company that obviously   we use for web development now I've predicted this  site with a web application firewall provided by   CloudFlare. Now, for those of you who are web  developers, and when you're performing your   hosting, you know that using CloudFlare is awesome  because it allows you to optimize your site for   speed. It allows you to purchase assets and make  your site faster, protected, and again, protected   from DDoS attacks, etc, etc, all the good stuff.  So let's see if it will actually detect this. So   I'm going to type in wolf wolf. I know that name  is really, really funny. The protocol is HTTPS,  
01:10:35
https like so and I'm going to specify the  site which is Elgon studios.com. Alright,   Elgon studios.com. And if I enter, as you can  see, it's going to start checking the site, give   it a few seconds, it shouldn't take any much. You  know, a lot of time, and as you can see the site,   Elgon studios.com is behind CloudFlare. Right now,  what this means is that most of the most of the   attacks that involve manipulation of data will  be in some way blocked. And you know, you won't   get your response back the way you wanted it. And  the render wouldn't be the same. Right now. Again,   as you can see, it detected that it is behind  a web application firewall. Now the next step   is how to encode these, how to encode encode your  your requests that you're going to be sending to   the web application. And that's what we'll be  looking at as we increase the security level,   using the the dam vulnerable web application.  Alright, so I thought, this is something that   I really need to share with you, again, it's  going to really help you. And I promise you, this  
01:11:37
is something that, you know, if you go for a job  interview, or you're performing a penetration test   for a company, this is something that most of the  network or systems administrators are very keen   on, they want to know whether you really know your  stuff, and whether you're really up to date with   how to detect, first of all, because information  gathering is really important. And as you can see,   this tool is fantastic. And once you know there's  a firewall, you then have a better idea of how to   target and you won't be wasting time. Again,  that's something that most of the amateurs or   beginners do. They waste a lot of time trying  different commands that they've seen, but they   find the date and they see that it doesn't work.  And they're like, how is this possible? Am I doing   something wrong? The truth is, the web application  is probably well protected. So again, you know,   do not use this for any malicious purposes. Again,  this is simply an information gathering tool.   I'm going to be showing you how to use der Buster  to discover directories and files on a website or   a web application. You might be asking yourself,  what is der Buster? Or if you haven't heard of  
01:12:41
der buster, let me explain it to you. Alright,  so the airburst is essentially a tool that was   developed by OS, the open web application security  project, and essentially uses a brute forcing to   find commonly used directories and file names  on servers. Alright, so this tool is extremely   useful for those of you who are doing CTF, for  those of you who are bug bounty hunters, because   essentially, it allows you to understand the  structure of a web web application or a website in   terms of the files and directories and how they're  structured. Alright, so why is this important?   Well, this is important because this will help us  understand how we can attack a site or what type   of attack vectors we can, we can we can find, you  know, so for example, if I the web application,   and I'm going to demonstrate that right now, and  I scanned it with the bust, and we found some   hidden directories and hidden files, we can use  these as attack vectors. Alright, so as I said,   it also allows you to find hidden directories or  files that are hidden from the public. So this  
01:13:43
can also lead you to, to finding additional  resources that could have been hidden away   by the devs that like for example, admin pages,  etc, etc. Alright, so how does it work? Well,   really simply, once you start up there, Buster,  and again, as I mentioned, it uses brute forcing   so I'll explain where wordless come into play.  So you open it up and you select the URL of the   web application or the website and you specify  the port The port is is the is definitely going   to be HTTP sewed a the a port 80 or Port 443. And  then you select the word list now, in this case,   Cali annex already has a dub dub Buster word list  that that are designed, it has three of them that   are designed for different types of scenarios.  And I'll explain them as we move along. All right,   and essentially how it works is once you start  the brute force attack, it will send HTTP GET   requests, and it will wait for the response from  the server or the web, the web application. If   it gets a 200 response. That means that yes, that  directory exists. Alright, if it gets if it gets a  
01:14:48
bad response, meaning like 400 or four or three,  meaning no access, then it'll it will it will   know that that directory of file doesn't exist. So  it's essentially testing directories on the server   against This, this word list. So it will check,  for example, is there a temp folder, if it sends   a temp request to the server, it gets a response,  a positive response, then it knows it's there,   and then it will enumerate them. Alright, so let's  start off really, really simply. So I'm on Cali   the next, I have the OS, broken web application,  right here. And I'm going to be demonstrating two   scenarios. So you can see I'm running that  here. And that has a lot of vulnerable web   applications. But the whole idea is to demonstrate  how directories can be found. Alright, and why   this is extremely important, especially for a  web application penetration tester. Alright, so   I'm gonna pull up Firefox. And as you can see, you  have the open web application project right here,   the OS B web, as they call it, and it has plenty  of ways of me testing this. But what if I was to  
01:15:51
just test the entire server? Alright, so this is  a web server. What if I was to test the entire web   so well, I'm guessing that there going to be a lot  of files and directories. So what we can do is,   we can start off with a perfect example of how  this will work is let's say you're targeting a   WordPress site. So I'm going to open up the broken  WordPress. Now, of course, this is an very old   one, and we're not really exploiting anything. But  by using this example, it will let us understand   how we can enumerate the different directories and  folders, you know, on this WordPress installation,   or if you are target targeting a WordPress  site, this is the way you do it. So I'm going   to copy the URL with the with the directory right  here. So it we know it's in the WordPress folder,   because that is the root directory of the of  the web server and we're selecting the WordPress   installation. But for the website, you will  select the URL. Alright. And that's for the port,   we know that this is the default HTTP port, which  means it's Port 80. Alright, so I have doorbuster.   Right here, if you can't find it, just you can use  the start menu and type in der buster, it's going  
01:16:55
to be like so just this click on it, and give it a  few seconds to start up. So again, it was designed   by the OS team. So it works really, really well.  And again, this is something that I'm sure if you   if you are a web application penetration tester,  or you do do the CTF challenges, then you will,   you'll know that use this tool a lot. Alright, so  we in here, we have the target URL, and that will   we will paste it Alright, so we can paste it right  here. So Ctrl V, and that is the URL. Now in the   work method, if you want to, if you want the scan  to be faster, you can use the GET requests, but   what we can do is auto switch them from the head  and get and that will give us a more robust or a   more accurate response rate. Alright, so in terms  of the number of days, this is how fast you want,   you want the scan or the brute force to be, so the  faster the better depending on your hardware. And   of course, you don't want to overload the server,  so I'm just going to go hit click on Go faster,   that's probably works the best for me. But if you  wanted to run faster, then that means it's gonna,  
01:17:57
it's gonna have multiple requests and threads  being sent from your computer. Alright,   so I like keeping it at just 200 threads, which  is go faster. And because I'm testing my own web   server, I can, you know, I can pretty much  increase it to whatever I want. So usually,   if you're talking about a bigger server or a  bigger web application, then it doesn't really   matter how many requests or many threads you use,  it will not really affect the performance of the   web server. But if I was to run it at maybe a  maximum speed, you'd see that the web server   would be lagging out, you know, out of the amount  of requests that are being sent. Because you know,   you have to understand it from a fundamental point  of view, we are requesting different web pages,   and the server has to process them. So if the if  the if the server is not running on on, you know,   good resources, like it's running on one gigabyte  of RAM, it's very easy to make it lag out,   and to actually cause some sort of a denial of  service just because of the amount of requests.   But in this case, we are performing it you  know, with with an ethical perspective. So now,  
01:18:59
you want to select a list based brute force or you  can use a pure brute force. But I don't recommend   that that doesn't really work. And you now need to  select your word list your doorbuster word list.   Now by default on Kali Linux and on paradise,  these are found in the user share folder on the   under word list. And you can find the doorbuster  word list right there. So I'm going to show you   that right now. So I'm going to browse, I'm going  to go to my root and I'm going to go into user   and I'm going to go into share. And let's go into  Word Lists here. Let's see if I can find it. It's   obviously with a W. Where it Where is it? Let's  see. Let's see. Let's see where is wordless story   if I can see this. Yeah, there we are. Sorry about  that. wordlist and you now want to go into der   buster. Alright, so there is going to be a folder  called der buster. And now you might be a little   bit confused. Well, really, you don't need to need  me to be confused. That's why I'm here. So as a   beginner you might be wondering like which one  is better. Now as an advanced penetration test,   I know which one is the best in Most cases,  it's going to be the medium the directory list  
01:20:03
2.3 medium dot txt. Now, if you're scanning a very  small web application that that's not that really   complex, like a simple HTML site, you know, HTML,  CSS, whatever you want to call it, then I would   recommend the smaller one. But if you're scanning  a big site, like a WordPress installation,   or a Joomla installation, then you should use the  medium one, this will work 99% of the time unless   your your, your requests are being blocked by  either a web application firewall or by the,   the host. So I'm just going to select list.  Alright. And now in terms of these other options,   you can see it's, it's going to essentially  brute force brute force the directories,   the files, it's going to be recursive, which is  great. And the directory, you must specify the   directory if it is if you are trying to perform  a scan that is directory sensitive. Alright,   and standard start point, just leave it like  that. And you now want to hit start. Alright,   so once you start is going to start brute forcing  the web server against, it's going to start  
01:21:03
sending the request. And if it gets the responses,  the positive responses is going to, it's going to   understand that yes, that directory does exist.  Now you can see we have a response that is being   sent here. And it's going to tell tell you that  it is unable to determine a consistent failed   response, which means some directories and files  are being you're getting a negative or you're   getting a no access response, meaning that that  directory doesn't exist. So what you can do is   just hit Cancel to these ones in it Yes. And it's  going to continue scanning the other ones. Now of   course down here you can see since it's performing  a brute force, you can look at the current speed,   which varies dependent on the amount of  directories, the average speed, and it will   tell you the total amount of requests done out of  the amount that could be done depending on on the   word list that you have selected. And finally, you  have the time to finish. Now, of course, this will   vary depending on a lot of factors. But mostly  it depends on the speed of the scan that you've   selected, and the and the word list. So you have  your scan information here, it's going to tell you  
01:22:07
what folders and files it's testing. And in here,  you can see the results in terms of directories   and files that it was able to find. And in the  results, this is going to give you the directory   structure as to how files and folders are being  structured on the web application. Now by default,   right now, you can see the amount of the  files and folders that it has found are,   for example, the WordPress register dot php.  So if we open that, if you right click on it,   you can open it in the URL, or you can view  the response that it gave. And you can copy it,   you understand you get the basic functionality  here. And then you can open it in your browser.   So again, you see that we are finding files that  we otherwise wouldn't have known existed. Now,   of course, for a default WordPress installation,  you would have guessed that this does exist. But   remember, most people are for volken, for most  other installations on configured figurations,   this can be a great way of finding files and  folders that you didn't know existed. And again,   discovering them is very, very important. And  this can give you different attack vectors. So  
01:23:09
for example, if I went to the admin dot php, and  it forced me to log in, that might be a good place   to start brute forcing, if I had credentials, if  not, you can choose Select another attack vector.   So let me just move back here you can see we have  the register page here, which we just clicked on.   Let's look at the WordPress login dot php. So  I'm gonna open that up in the browser. Now you   can see the server is not responding. And that's  another point that I wanted to point out. If you   want to be as you know, right now we are being  as promiscuous as possible. Because we it's   not really a web application that is delivering  service to other people. But because it's hosted   on my local area network. So in this case, you  can do a performing a type of denial of service.   And that's because the server is located very,  very minimal resources to this virtual machine.   So that's why it's kind of lagging out. Alright,  so that's something to take into consideration.   Now if I was to, to pause the attack, like so if I  was to just pause it, remember, you can pause it,   and you can stop it. And let me just go back  here. And let's see if we can reload these pages,  
01:24:12
they should be able to, to be reloaded quick  enough. Let me let me just load that up. And   we can close this one. Let's see if the WordPress  register page does open up. If this virtual, yeah,   there we are. So you can see even though this  is a very old WordPress installation, that we   were causing it to lag out. So always keep that in  mind that the amount of threads that you say can   affect the performance of the website of or of the  web application and you don't want to cause any   any impact to customers if you're performing the  test on a real world working web application or   website. Alright, just something you might want to  take into consideration. So we're going to resume   it and of course I'm not going to expect to find  anything we add here. Although this WordPress   installation is designed to be vulnerable.  So you can also change the number of threads   running right here. So if I wanted to run, you  know, maybe on 10 threads, which is quite slow,   that means you will get, the enumeration process  will take longer. So it's all about balancing your  
01:25:13
resources and understanding what you're trying  to look for. And of course, this can be a very,   very useful tool. When doing bug bounties, or,  or CTF for that matter, especially hack the box,   we are going to be looking at something that is  extremely important and something that should be   understood completely, and that is cross site  scripting. Alright, now before we get started,   I'm just going to explain what we're going to  be looking at explain what we're going to be   looking at in this video, we're going to start  off with explaining what cross site scripting is,   I'm going to be showing you the environment  that we'll be using for testing any of these,   any of these attacks just because they allow  us to illustrate or they allow me to explain   how everything works, because that's the most  important thing for me is that you understand   what you're you're listening to, and you have a  good representation of what's going on. Alright,   so I'll be explaining stored. I'll be explaining  the reflected stored and Dom cross site scripting.  
01:26:18
Alright, so let's get started with me explaining  what environment I'm currently running. So you   can see that I'm running Kali Linux right now.  But I am going to be using the OS broken web   applications project. So I'll have this in  the description section, it is essentially   a virtual machine, that you can easily just run  on VirtualBox or VMware. I'm currently running   it here. As you can see, I just got the local  IP, it's 190 2.1 68 point 1.111. All right, so   I have that running. And I'm running this on Kali  Linux, and I already have opened up the URL in my   browser. So you can see from here, I've opened  up v whap. And I've opened up webgoat, because   that's what I'm going to be using to explain each  of these cross site scripting attacks. So if I   was to do that false to just open up 190 2.1 68  point 1.11, yours could be different, it should   be different. Depending on your IP configuration,  and subnet, then it'll take you to the OS, b,  
01:27:19
w A, or the OS broken web applications project.  The latest version, as of recording this video   is version 1.2. So we will be using webgoat and B  web, or the broken web application project for for   this demonstration. So the default credentials for  webgoat are going to be guest for the username and   guest for the password. And for B whap. It should  give you the prompt right over there. I think it's   going to be bug app or something like that. But  irregardless, it will tell you what it is. All   right. So make sure you open that up, and you have  that all set up. So I've logged in to be web and   I have a web goat started up right here. Alright,  so let me close that up. And we are ready to go.   Now before we even move on into performing these  attacks, it's very important to understand what's   going on here with with cross site scripting,  what it is how it works. And what are you exactly   taking advantage of right now, this is where a lot  of people make mistakes. And if you want to be a   successful web application penetration tester, you  need to understand, you know, from a fundamental  
01:28:24
level, what's going on here. Alright, so let's  get started. What is cross site scripting? Well,   simply put it is the process of injecting a script  into a into the parameter in a URL to attack   a user of the site or to potentially attack the  server side of the website or the web application,   right? So essentially, is the inject the  injection of a script into the parameter of   a URL. All right, that's essentially what it is.  Now, of course, this may be quite confusing, but   don't worry, I'll explain what's going on here. So  let's start off with with, first of all explaining   the three types of cross site scripting. All  right, the first one is reflected and then   we have stored and Dom. So with reflected what's  happening here is the data is inputted and then,   you know, reflected directly back back on the  screen. So I'll explain this in a second. Alright,   so if we are to look at this from a fundamental  perspective, I'll show you how to access this,  
01:29:27
you know how to navigate the view up. Just give  me a second, let me explain what's going on. So   essentially, what's happening with reflected cross  site scripting is that the input is going to be   stored in the parameter of the URL. All right,  and I'll explain how this differs with each type   of attack. Because many of you will point out and  say, well, it's not only to do with parameters,   and don't worry, I'll explain all of this.  Alright, so we can essentially manipulate the the   parameter of the URL, so that we can essentially  run a script. Now what type of script we can run a   malicious script that is based on in JavaScript,  and I'll explain that right now. So you can see   with our portal, you don't want to touch anything  here, you can set the security level. But for now,   I recommend setting it to lope. Not that that's  going to hurt anyone's ego. Because remember,   you have to be humbled to begin, and you need to  understand what's going on first. So we will open   up the Jews, the bugs section here, and we want  to go down into cross site scripting. And we want   to go into reflected which essentially deals with  the get the get request. So we're going to start  
01:30:28
off with that. And this will really make you  understand what's going on here. So if I click   on that, and I just hit hack. Alright, so now it's  going to give us a prompt here. And you might be   asking, Well, what what do you mean, what exactly  is going on, if I was to not enter any details   into the, you know, into these fields, right  here. So for example, you can see I just had a   suggestion there, that's because I was testing it  out. But if I was to hit go, you can see that in   the URL, we do have the input here. So you can see  the values can be edited directly into the form.   So you can see first name has no value. And then  we have the last name, which again has no value,   and you can see that it is submitting a form.  So what we can do is run some JavaScript code   in here. And the most common way of explaining  what's going on here, of course, not running a   very malicious code right now, it's essentially  explaining and demonstrating that it does work is   I can run a piece of code here. Now, of course,  when you put this into a practical perspective,   many sites are going to filter the content that  you can enter in these fields, all these forms,  
01:31:32
and will essentially will not allow you to  run JavaScript code and you know, obviously,   to protect, protect the site from these type of  attacks. But what you can do is encapsulated to   encode it in a different type of language.  Or, as I said, I'll show y'all everything,   or how all of this works. So this right, right  now, being the current security level, as low,   we are a lot a lot essentially encode, it will  not verify or validate what we're entering in   here what input is being given. So if we were  to type in a script here, so we can say script,   and you can see the recommendation there script,  that's mine. So if I was to type in alert, and   this is JavaScript, so I'm pretty, I'm pretty sure  you can you know what's going on. So we can say,   Hello world. This is an example of reflected  accesses, or cross site scripting, and we can   close that operate now. And then we need to close  the script. So we can do that in the next field or  
01:32:35
the next parameter. Most people like doing it from  the start. But this is just to show you how robust   this can be. So I type in I close the script and  hit go. And as you can see, it gives us the alert,   which is what we and we which is what we used  as a form of, of me showing you that it does   work and it will be processed, the input will be  processed and will be sent back to you, you being   the client. And we can just hit OK. And that was  an example of reflected excess cross cross site   scripting, using the get method. Now of course  we can, I can replicate this many, many times   using the other types of cross site scripting, for  example, with the post, etc, etc. We'll be looking   at all of that. But for now we need to understand  what's going on here. Now next, we need to look   at stored cross site scripting, this is probably  my favorite because of the potential that it does   have. Alright, so let's go into the juicy bug menu  here. And we want to go into cross site scripting,   and we want to go we want to go for the blog,  cross site scripting stored cross site scripting,  
01:33:37
and we're gonna select blog, and I'll  explain why in a second. Alright, so first,   let me explain what stored cross site scripting  is. So essentially, with this with the cross site   scripting attacks, more specifically, these stored  attacks, essentially, what's happening is you're   attacking the input. And you're essentially  attacking the input that is to be stored or   you're attacking the data, or, essentially, I'll  explain this really simply, so you're attacking   the input that is to be stored on a database. So  what you're doing is you're essentially injecting   malicious code that will be saved into a database,  or that is going to be saved by the server,   or the web application server. And then you can  definitely you since it's being stored, you can   access it later on or other users can access it.  And for example, if it's running malicious code,   it can trigger different things like opening  the webcam of a user stealing different type of   information. I'm not going to go into what you can  do with it, but you can really do a lot of stuff,   a lot of malicious stuff with code. Alright, so  let me explain what's going on here. So with this  
01:34:39
stored, cross site scripting, you can essentially  inject malicious code into the database again,   that then that when accessed runs this  malicious code. Alright, so if you can see   this is an example of a blog. Let me explain what  I mean the best places to implement stored cross   site scripting is in places like means, you know  forums. And again, as you can see write your blog   in the form of comments that you know, or pages  that can be accessed later, or data that is being   stored in directly into the database, any database  for that matter as long as it's being stored,   okay, so we can type in something like hello.  And we can submit that to the database. And   you can see it's getting stored. And you have  the different tables, you have the the number,   the owner, the date and the entry. So now we can  also run a script in here. Alright, so what if we   were to enter Java scripts, and again, this data,  given our security level is any of the data that   we're entering is not being validated. So you  can essentially enter it raw. Now in reality,  
01:35:45
if you go and try and enter a script in the  native will not be accepted, because, again,   they're protecting their site against that.  That's one way of mitigation, very basic,   I'm sure you know what I'm talking about. Alright,  so enough of me rambling on. So if we are doing   enter the same script we entered, we are to say  script. And we then say, alert, for example,   we can you can use any type of JavaScript code  you want here, and you can experiment, you know,   you these web applications are there for you to  experiment and test your skills out. So first   to say, Hello world. This is stored out stored  cross site scripting, and we just close that up   there. And of course, we have to close the script,  because we know that that will not execute if we   do not code it correctly. Okay, so now we can we  can add that. And if I was to just hit submit,   right, now, you can see that it's going to store  and with that being the latest blog post, you can   see it's going to tell you, it's going to execute  the script. And it's going to say hello world.  
01:36:46
This is stored cross site scripting. So an example  of a blog, if you're to post this on a page or a,   you know, to make a blog post and inject this  script in, anyone opens that page will essentially   run that malicious code. And whatever that code  does, can then furthermore, you know, cause damage   to the user or to the server depending on what you  want it to do. So it's all dependent on what the   attacker is to do. Remember what I told you in  the first video of this series, it's all about   your mindset, and your your your willingness to  break things and to find out what does and doesn't   work. Okay, so that was an example of stored  cross site scripting. And as I've mentioned,   the most important thing to understand is this in  this scenario, the data is not being validated if   it is being validated. And I'll show you that in  a second. Or probably in the next set of videos,   we'll increase the security level, and I'll show  you how to get you know past this, you can see   how things change as you move along in terms of  security levels. So I was going to use the V whap.  
01:37:50
This my first time using it. So I had to get a  bit of an introduction through the documentation.   And I realize they don't have dumb cross site  scripting. So I that's why I had to use webgoat.   They're the only ones I know who actually allow us  to run it. So as zoomed in right now, by the way,   the credentials are guests for the username  and guest for the password. So essentially,   I went through cross site scripting, and again,  they didn't have the DOM in here, all they were   focusing on is stored and again, reflected. So I  found it to be in the eye x or Ajax or whatever   you want to call it. And we have the the DOM  based cross site scripting, let me explain why   it's in. This is based in Ajax security. This  is because Dom cross site scripting focuses on   the client side. So any data or input that is  entered, whether it be a malicious code, etc,   etc, is going to be processed by the client, not  the server. So any of the attacks will be based,  
01:38:51
of course, on the client. Now, let me explain  what I mean. If I am to run remember, JavaScript,   server side, client side i x, for example.  So if I am to run, for example, a JavaScript   code in this entry here, so script, and again, I  type in alert, just being the example and I say,   Hello, let's keep that simple. And I close the  script here, you can see that we will probably   not be left with anything will not get any result.  That's because it's being processed by the client,   not by the server. So no, no result or no data  will be reflected back to us. If it was, you know,   if it was reflected cross site, scripting it,  the server processes it, and then is reflected   back to the client. So if I was to submit here,  you can see that nothing happens here. And that   it is going to be taken as code. Now what if  we were to enter or use a language that that   a client can understand? So let's say we want  to say, let's see, HTML, whatever to use HTML,  
01:39:53
so I can say in here, IMG, for example, that's a  very This is the way we learned it. So IMG See,   and we don't have an image source. So we can leave  that like that. And then we can use the on error,   in case we get an error of image which we will get  because the image has no source on error, we can   say that is going to be, that is going to be equal  to alert. And then the alert we can input in here,   we can say, Hello, whoops, hello world. And we  can close that up. And once we have closed it,   you can see that we can, we can close that there.  And there you are. So it is great to be processed   by the client, and you get the dialog box or the  alert with the message Hello world. So you can   see that with Dom based cross site scripting, it  is all being processed all the input, whether it   be malicious or not, is being processed by the  client. And Ei x is one of the largest languages   that can be used. So you can also incorporate  a x if you wanted to test it out. Remember,  
01:40:57
it's all about experimentation and understanding,  I hope that you're you've got an understanding of   what cross site scripting is, how it can be  used to manipulate data, whether it be on   the client side on the database, and how you  can easily just transfer data with you know,   bad security in place. Of course, this is  the these attacks will be a very uncommon   now. But again, this was focused on more  on an explanation point of view. We're   going to be looking at cross site request forgery,  or CSRF. Now, this is an extremely important topic   and a big one that I cover it correctly. So for  the purpose of this video, I've set up a very   unique environment that in at least in my opinion,  will demonstrate how to utilize or how to perform   this attack. Alright, now I'm just going to give  you a brief overview of the environment that   I have no, of course, you can see I have a few  files open here. Don't worry about them right now,   just just remember that we'll be using them later  on. And I'll be using them really, really well to   explain what's going on here. So you can see as my  target or as my vulnerable system I'm going to be  
01:42:06
using on my vulnerable web application, I should  say, I'm going to be using the OWASP juice shop   now. Not actually no one actually recommended this  to me. But I remember that I performed this during   a CTF challenge that I went to earlier, I think  late last year. I'm not too sure exactly when   but the whole process was involved in exploiting  this web application. Alright, and in my opinion,   this really outlined or really showed of how  to perform all of these various web application   attacks. In this case, we're going to be  focusing on cross site request forgery. Alright,   so I have the juice shop running it's, it's based  on a node.js. And it's running on my local host.   Let me just show you that right now. There we  are. So I haven't logged in or done anything   yet. And that's because I'm going to do that with  you. So I've set it up, it's running on my local   host. Let's get started with this really, really  simple but sometimes complicated topic. Alright,   so cross site request forgery CSRF. Now from  the name, you can already tell that it's split  
01:43:12
into two into two sections, you have your cross  site, and your request forgery. So from that,   we can get a basic example of what's going on  here. We have cross site scripting, and we are   going to be forging requests or we are going to be  manipulating requests. Hmm, interesting. So we are   we are kind of understanding what's going on here.  Now the technical explanation for what CSRF is,   is it is an attack that forces an end user to  executed unwanted actions on a web application   in which they're currently authenticated. Alright,  so let me put that really, really simply, right,   it's an attack that will force an end user to  execute unwanted actions on the web, on a web   application, these actions can be anything, but in  this case, we're going to be looking at changing   the password. And they have to be currently  authenticated to that web application, which means   they have to be logged in to that web application  for this to work. Because if they're logged out,   then you get the idea. It really doesn't help or  it doesn't work. Alright, so we use cross site  
01:44:17
scripting, in this case to perform the request  forgery, and to get either desired or undesired   results. In our case, we're going to be looking  at how to to change the password of any user   that's logged in to the to this web application.  And how will we How will we be doing that? Well,   we are going to be using CSRF. But the first  thing you need to understand is how an HTML form   works. Alright, and this is very important because  first of all, a client will request a page from a   server. Alright, the server will then respond and  give the the client the HTML form. The client will   then send back the form with the data back to the  server server will then authenticate and authorize   the user and then will will perform the requested  action. And based on the request and the response,   we are able to forge or to change the request  and get a desired response if you're looking at   it from an attackers perspective. Alright, so,  the the way CRS CS CSRF works sorry about that  
01:45:24
is the attacker will manipulate the victim into  submitting the attackers form data to the victims   web server, essentially, essentially performing  these these requests in the in our case, as I've   mentioned, it will allow us to change the password  of any user on this web application, in this case,   the OWASP juice shop web application. Alright,  so now you might be asking, Well, if I'm a bug   bounty hunter, I'm practicing to become a bug  bounty hunter. How do I go about finding this   vulnerability? Well, that's a very good question.  And that is the question you should be asking   yourself when performing any penetration test.  Now, coming back to my environment, I'm running   burp suite, the Community Edition, you you will  just need the Community Edition for this one,   we're not performing any advanced techniques  here, because we're essentially just changing,   we're just going to be changing the request to get  our desired responses. But once we move on to the   advanced stuff, I'll then be using OS zap for  our attacks. Alright, so keeping things really,  
01:46:27
really simple, we, the way to look for these  vulnerabilities is to target the login pages,   which we have right here, we then need to, we  can then create the account and log in. And   then finally, we will be creating our own our  own script to perform the cross site scripting.   And that will allow us to submit the data or  if we send the URL to another user of this   web application who is currently authenticated,  it will allow the it will allow us to make them   change their password, and then we can log into  their account. Alright, so this vulnerability   is very common on sites with accounts, you know,  sites that have emails of passwords. And as you   probably would have guessed, there are a lot  of sites that utilize this functionality. But   remember, most of the sites out there will be  protected from this vulnerability. So it's up   to you to find these vulnerabilities. Alright, so  as I've mentioned, we will be using OWASP juice   shop as our target. And the reason is, is because  it will explain what I want to explain really,  
01:47:27
really well. Alright, and we'll be using the burp  suite Community Edition. Now, as you can see,   I'm currently running the burp proxy, I'm not  intercepting any traffic, if I open up burp suite,   I'm not intercepting any traffic. If I go to  the proxy, and intercept, I'm not intercepting   anything. So it's currently just I'm just going  through the burp proxy and all the traffic and   data is being logged through the proxy. So when  it comes down to this little data that I've   saved here, I've already created an account.  The reason I've done that is to save time,   because I don't want to explain everything about  it. So I've created, I've created a user with the   email of test@test.com and a password of password.  So really simple. Again, there's nothing really   complicated here. And if you want if you're  wondering what exactly does this mean? Well,   this is a security question with the answer.  So the question was, what's my favorite pet,   and I wrote in dog. So hopefully, that doesn't  scare you into thinking that I've gone completely   crazy. And then in here we have the scripts that  we'll be using, or will be utilizing to perform  
01:48:32
the CSRF are on the site, I'll get to this in  a second. We don't need that right now. So if   I want to log in, I know that the email is  test@test.com. And the password is password.   Alright, so let me do that right now we need  to authenticate. So let me log in, like so. And   I'm going to hit test@test.com. Alright, and I'm  going to write the password, which is password,   and I'm going to log in. Alright, and I'm don't  want to save the password. And there you also   have logged in now. Now as I said, this is very  this vulnerability works really, really well when   you're talking about changing passwords, because  as you can probably guess, an attacker would would   be looking to exploit this functionality because  imagine, if we were able to send a request a get   request to our target with the URL encoded URL.  Of course, we can also use link shorteners,   if we wanted to, to do that. And essentially,  if they authenticated, it will allow us to make   them change their password simply by clicking  on the link, changing their password to whatever   we specify. Alright, so how do we do this? Well,  the first thing we need to do is we need to look  
01:49:37
at how we get requests are being sent. And we can  do that using burp. So we're just going to change   our password. So current password is password.  And what I'm going to do is I'm going to change   my password into password. Oops, sorry, pass word  123. And I'm going to repeat it so fast word 123.   And I'm going to hit Alright, so the password was  successfully changed. Okay, now let's look at how   this was processed in burp, or how the request was  sent in burp. So I'm going to go into burp proxy   and HTTP history. And I'm going to go all the way  to the bottom. And as you can see, we have the get   request right over here. Okay, so the get request  is very interesting. You can see we have the get   request, and it's targeting the the following URL.  And these are the parameters. So change password,   the current password is password, new password  123. And we've repeated it. Alright. So now let   us perform the forgery here. So I'm going  to send this in to the repeater. Alright,  
01:50:39
so I'm going to click on repeater. And in here, we  can manipulate the request and see what responses   we get. All right, in case you, you did not know  about that. But again, let's start off really,   really simply. So we are going to be working  with the raw request. We don't want to work   with individual parameters, although you could  change it, but we are going to be manipulating   the request entirely so that it performs what we  want to do. Alright, so what we can do first is   we can test so let's change what if we were to  change the current password to something like,   let's see test, let's change it to test and  then we hit go, you can see that the response   we get is a is a 401 error, which means we are an  authorized to make that and it will give you the   message right here. The current password is not  correct. All right, that's good. That is good from   a web application perspective, which means that  this web application is performing validation.   And it's not going to allow us to know to just go  in and start manipulating any requests and making  
01:51:39
changes. So from a security perspective, the web  application is doing really, really well. Alright,   what if I was to change the new password? Let  me change this back to password to the current   password, which is what we said and change the  new password to password pass 123. All right,   and I hit go. Again, we get another error. Again,  the 401 unauthorized error telling us that the new   and repeated password do not match. So yes, the  current password is correct. And the only thing   that we're getting an error is the new password  and the repeated password are not correct. So   interesting. What if we want to change the  password into password 123. And we can repeat that   again. So we want to confirm this. So password  123 actually hold on. So I'm going to say password   123. And now let's see what this tells us. This  should verify it. But let's see if this works.  
01:52:42
So you can see yes, that does work. And we know  that this works, because that's what we did that   was the original request. But what if we do not  know the current password of the user? Remember,   we're going to be targeting other users of this  web application. So what if we get rid of and this   is very, very, this is the way penetration testers  go about it. What if we get rid of stuff? So what   if we get rid of the current password? Alright,  and now essentially, they get his targeting Change   Password with the question mark here, essentially  requesting and we're only entering the fields or   parameters new. And repeat what if we do that  and we change them to password 123 I mean,   pass 123 and pass 123. Let go. You can see yes,  it does work, we get the 200, the 200 response,   which means everything was processed correctly.  And we were able to get a password that looks   to be hash, that looks to be hashed. And we got  the email that we used. So yes, we do know that   it is working. Alright, so we know that we know  that this worked. But we need to confirm that  
01:53:50
this has worked. So we can do this by going back  into our web application. And we can log out and   we can try and log in again. So log in with our  new password. So we're gonna say test@test.com,   and our new password was passed 123. Remember, we  changed it earlier. But again, I was demonstrating   that we if we are to send this to our target, we  need to specify to make sure that it will work   without any pre required information like their  current password. So I've manipulated the request   there. So let's hit log in. And voila, you can see  it does work. Excellent. All right. So this is a   fantastic example of so also CSRF can be utilized  or how it can be how you can find vulnerabilities   for it. Alright, so this can allow us to change  or update anyone's password. anyone's accounts   password that are currently logged into this web  application. Alright, so now what we what we need   to do well, we can we can log in. As we've already  seen, we can log in and once you've logged in,   we can we can test to see if cross site scripting  does work. And then of course utilizing it  
01:54:58
throughout the web application is very important.  So We can run a simple cross site script attack to   see if it will work on the search bar right here.  So I'm going to type in script. And a simple one.   So alert, just to test whether it works. And  in the alert, we can say, Hello, just something   stupid hello world, you know, that's an I can't  even type man Come on world. And we've typed in   the alert. And we can finally close the script  here. Script like so. And let's hit search.   And voila, we can see that indeed, cross site  scripting work works, which means we can insert,   we can insert our GET request inside a script and  use a cross site scripting to perform the CSRF.   And now you can see them conjoining together,  cross site scripting with request forgery. Okay,   so we now need to create our custom script  that will allow us to utilize the attack.   And we will be using XML and HTTP. Now, you  might have seen this script right over here,   let me just minimize this and open up leafpad, you  might have seen this script that I created. Now  
01:56:02
you can find many of these CSRS scripts are online  that utilize different languages. In my case,   I find the one that works the best is the  is the one that works with x XML and HTTP   and contains the get request in here. Okay, now,  you can see that the get request requires the URL   in which we submit the the parameters without the  current password. So we need to go back into burp.   And it needs to go back into proxy HTTP. Sorry  about that HTTP, we look to change the password.   So if we go back into, sorry, the repeater. And  if we look at this now, we can see that the URL   is right over here. So that's the get request. So  if we copy this localhost, obviously, and we are   not using any current password field, so if we  can do that, really, really simply, you can see   how this can be utilized really, really well. So  what we need to do now is understand how the URL  
01:57:03
will be format. And of course, the web application  is going to encode it, and I'll get to that in a   second. So we need to copy this URL right here.  So I'm just going to copy the URL. And we can   edit our our script. So HTTPS, and we paste it in  inside the URL, you can copy this script if you   want to. Let's take a look at whether this script  is formatted correctly. So get HTTP new, that's   not the way we want it. Let me get rid of the  pre pre determined HTTP there. So HTTP localhost,   it's hosted on my localhost with the Port 3000  node, an OJS standard. And the we want to change   the password, the new password is past 123 and  repeat his past 123, you can change that to   whatever you want, if you want to, you know, play  around with the script. But in my case, I don't   want to do any of that. So this is the script. So  what we can do is we can copy this now. And we can   run this in the search bar. And that should, in  theory, and in practice, give us our first CSRF  
01:58:06
attack on the site. So I'm going to paste this in  here. And let's see whether it does this. So I'm   gonna hit search. And you can see you successfully  solved the challenge error handling provoked an   error that is not very gracefully handle. Again,  this is a fantastic web application vulnerable web   application that is awesome for practicing your  your web application penetration testing skills.   Now, I talked about the URL that you should send  to your target. And that is the URL that will   essentially make them change their password or  without them knowing, given that they are logged   in to the web application or they have an account,  it will not work if they have not logged in.   Alright, so that's very important to understand.  And many people just you know, forget about this.   Now. Again, if you could have done this, you I  can log out again, and I can log in try and log   in now. And I can type in for example test I just  want to show you something very interesting here   test. And I can change the password, we already  changed it to password 123. Now before I do that,  
01:59:10
I can just inspect the element here. And I'm  going to hit login. And I just wanted you to   check something out. All right now, let me just  expand this a little bit here. If we were to   look at the network, this will essentially shows  all the GET requests. So if I was to hit login,   you can see that if we are to look at the  get request here the login GET request,   you can go ahead and look at at the exact format  in which it was sent. You can look at the cookie   the it should give you the the authentication  token not to show it should give you the authentic   the authentication token. But that's something for  another day. Don't want to complicate you guys,   you can look at the cookie if you want to. And  you have all the responses right here. So there we   are. There's the authentication token and you can  see something very interesting in regards to the   token. Alright, so let me show you this right now.  Alright, so as I was saying, you can see. Alright,  
02:00:11
so as I was saying, you can see that if we look  at the parameters, the password will be displayed   there, and it will be updated to the one that  we selected or specified in the script. Alright,   so remember, if you want to customize the cross  site scripting attack, you can do it through your   script. And where is lifted here. So there we are.  So you can change the password. The as you see,   we just got rid of the current password parameter,  which is a vulnerability on the site, but you can   change the password to whatever you want. And  now you might be asking, as I've mentioned, what   link do you send to the target and that is very,  very simple. If I was to run the script again,   and I change the password to maybe something else  like password 124, or 345, sorry, 345. Let me just   add that to the password. And I run the script on  an authenticated user, which is me. So let me copy   that. And it should change my account password.  And you can see once I log in, log out and try   logging in, it will have changed it successfully.  So let me just run it in here. So I'm going to  
02:01:11
paste the new one in here. And I'm going to search  and there we are. So now it's changed my password.   And if I log out, and I try and log in with with  the old password, which is password 123, you can   see whoops, sorry, I think I typed that in wrongly  123 like so, fight login, there we are, you can   see that we entered the new password, and it did  work fantastic. So we were successfully able to   execute the script. And again, when if I just run  the script, again, this is the URL that you will   send to your target. Alright, so if I just copy  it, and I inspect it in my leafpad here, I really   love leafpad. I don't know that you guys love it,  too. If I just inspect it, you can see that this   indeed is a URL. And if the web application was  being hosted on a server, outside my local area   network, it would give you the website name, the  port, if it is port specific, and the URL here,   which as you can see is encoded. So what I  would recommend is that you copy this link here,   and you use a link shortener like bit fly or any  of the other Google shorteners, and you send that  
02:02:15
to your target. And once they click on the link,  and if they already logged in to this specific   web application, it will update their password.  And you can essentially, you have the password   now because you've updated it. And you're all you  need is the email, which I'm pretty sure you must   be knowing if you're performing this attack. Or  you could just be gathering passwords of users,   all of which you can, you can send this link to  and are authenticated with the web application.   We're going to be taking a look at session  management. And in this video, particularly,   we'll be looking at cookie collection. Alright, so  as you know, you probably would have known what a   cookie is. Now there are three types of cookies  that we really need to be focusing on in this   section. And we will be focusing on in general.  The first one is the session cookies, which I'll   discuss in a while we then have the permanent  cookies and the third party cookies. So third   party cookies are really all to do with third  party API's that may be used. So for example,  
02:03:22
if you're on a website that utilizes flashplayer,  you may find some cookies, that that are in relate   that are related to the Flash Player. So it's very  important that you understand how to collect these   cookies. And as well, we'll be looking at reverse  engineering them, but not really tampering with   them. Because I first want to explain to you guys  how everything is done. And then we can move on   into into finally tampering with them and seeing  if we can change them to give us access to give us   different type of of access. And where this comes  into play is when you're talking about session   cookies. And in this session cookies, we have the  the auth, the authentication token, and the D and   the unauthenticated token. So all to do with your  access on a web application or on a website. Okay,   so essentially, all the cookies that you can  probably ever get when you visit or you get   when you visit a website are they are generated  when you visit the website. And furthermore,  
02:04:23
the cookies change when you authenticate with  the website and you or you log out right so when   you log in, you get a different set of cookies.  And when you log out, you get a different set of   cookies. This is where the whole idea of session  management comes into play and how cookies are   utilized for this system. So I'm currently running  OSU shop. So I showed you guys how to set that up.   Let me know if you found it helpful. So I have  it set up and open as it opened up in my browser.   Now what I'm going to be covering is how to  collect these cookies and understanding the   difference between an unauthenticated cookie  and the authenticated cookie. So Usually,   what I have, or what I use to my advantage  is if you're using Google Chrome or Firefox,   you you can get a cookie collection or a cookie  editor add on that allows you to edit the cookies.   But as I said, we're not going to be looking at  editing them right now, because we don't know   what to change in them, this video is going to  be focused on collecting them and then analyzing   them to see what information they have within  them. All right, so I've currently I reset this,  
02:05:27
the OWASP juice shop. And the reason I did that  is just to start off fresh. And I said, we're   going to be using this for performing all of the  examples that we'll be showing you so that we can   learn all the concepts. So I'm just gonna, before  we log in, I just want to show you the first set   of cookies that we'll get once we were when we  visited the site. Don't worry about the other   links, we'll get to them in a second. Alright, so  I'm using the cookie editor right here, you can   find this same one for Firefox, that's what I'm  using. They are also other ones for Google Chrome,   if you want to do that. And in addition, we're  not going to be using any proxy, like burp suite   or the OWASP zap right now, because we're just  focused on using the browser tools. And of course,   these add ons here. So what I can do now is if I  just go right click, and I hit Inspect Element, we   have the, the developer tools right here. And if  we are to go into Once you've installed the cookie   editor, you can directly go into storage. And in  storage, you will, you will begin you will get the  
02:06:30
cookies here and other values right here. But if  you it'll be better for you to understand what's   going on if you go into the cookie editor. Now  in the cookie editor, you can see that we have   two cookies that we've gathered here, and we have  the cookie consent status. And the the i o which   I'm not sure really what it does input output,  output, I'm probably guessing. So when it comes   down to the QB, consent status, we probably get an  idea of what of what this is. What this is asking   us. So when I when I opened up the website, it  gave me a prompt asking me like all websites will   ask you in 2018 to do is to accept their privacy  policy, in their privacy policies in regards to   their use of personal data and cookies. And the  reason is, is because cookies can can log or have   a lot of information about you. They contain a  lot of information about what your what you've   been doing. So this is why I've created this right  now before we move along, it's very important to   understand their role in session management. Okay,  so we need to look at the authentic authentication  
02:07:36
tokens because that's where most of the magic  happens, as you would expect. So let me just close   this up. And let me just log in. So let me just  use the password there, the email that I used,   and the password, like so. And let me just log in.  I don't want to save the password. So I've logged   in now. And if I inspect the element, again,  you can see in the cookie editor, let that load,   it usually takes a while to load. There we are,  we have the token. Now the token, this token is   an authentication token. Alright, so when it comes  down, when it comes down to reverse engineering a   token, for example, let's use this as our example.  We essentially testing it for vulnerabilities   similar to a penetration test. Now you might be  a little bit confused. You might be asking, Well,   what what what do you mean by this? How can we  perform a penetration test on this token? Well,   this token is encoded. Alright. So this is if  we just copy this. I don't know whether you know   about this, but this is a JSON web token. Alright.  So it is it is a JSON web token. And you can use  
02:08:37
the JSON Web Token decoder, I'll be posting this  link in the description. This is the one that   I prefer to use. If I am to paste this in here.  And you can see once I've pasted it in here, it's   going to give me all information. And I'm going  to help you understand what we've just done. So   essentially, what we have done is we have reverse  engineered what this web token is all about. So   now we need to look at what what it contains and  what type of authorities or privileges it's giving   to us. Because remember, this is an authentication  token. And it is unique to us because this will,   this will determine whether or not we're logged  into a site or we're logged out and what access   we have on the website. I'm pretty sure you  already know that. All right. So when it comes to   the header, now, this is very important. I've seen  many web people claiming to be bug bounty hunters   and they don't understand how the the web token is  even structured. What is the header the header is   separated from the payload. This is the header  right here, up until the first full stop that   is the header it's very important to understand  that because they are separated from each other.  
02:09:41
In fact, the JSON web token is sorted into three  parts right here you have the you have the header,   you then have the payload until here. And then  finally you have the signature which is right,   right at the bottom here which is also separated  from the rest. Okay, so when it comes down to the   header, alright, the header is going to give  you the of the of the token. In this case,   we know it's a JSON web token, we then have the  algorithm, which is the hashing algorithm used,   which is the RS 256. And then the payload  now in the payload, this is where things get   really interesting as you would have expected, you  have the status, the status code here, the data,   if any data was passed the ID, we can always use  the ID. Two, we can always edit the ID to see what   else it can give us in terms of authentication,  because different types of identification or   identification tokens give us different types  of access. So, as essentially this is what I was   talking about, this is where you will scrutinize  the the the authentication token, and try and and  
02:10:43
tamper with it to to see what different results  you can you can get. So remember, we can edit this   token, right, and we can edit anything about it.  And then we can finally copy it. And we can use   that in the OSB shop and paste it right here and  re authenticate with that new token and see what   results we can get. Now, of course, we're not  going to do that right now, because I wanted to   introduce you as to what information you're going  to find and what exactly is going on here. Okay,   so one step at a time. So you can see that  something interesting pops up here, something   extremely interesting, we have the email which  for some reason, in this token, we can see that   it's not very well designed because the email is  in plain text, which means which means if In any   case, or in any scenario, someone is able to get  this token in which I authenticated within a site,   they will have access to my email and my password.  But you must be saying, Well, I didn't see you  
02:11:44
type out all of these random passwords here. Well,  I can easily guess that this is an MD five hashed   password, which means I can depending on the  on the strength of the password, I can decrypt   online in a second using any of the decryption  tools. So if I was to just copy this right now,   and I wanted to know the password, let's say this  wasn't even mine, this authentication token wasn't   even mine, and I found the the email and password,  all I needed to do was unmatched the password,   I can go to Mt five online.org, which is what I  use a lot. And I paste that hash right in here.   And I hit decrypt. And you can see, well, first  of all, it's gonna prompt me to enter capture   your storefront. This is this is getting really  annoying. Now, for some reason, it always does   that, as you can see, it's gonna, it's gonna find  the action. Of course, this is this is dependent   on the difficulty of the hash and whether or not  it can find it online. Okay, so you can see that   it will display the hash and the password in plain  text, which in this case was passed 123. Now,   of course, you can experiment with this.  And you can also experiment if, for example,  
02:12:46
the authentication token that you found was using  a different encryption, or a hashing algorithm for   the password, the first thing you need to do is  identify what it's using, and then you go about   decrypting it. Now, I'm not going to be talking  about the other parts here, because that's a bit   that's a bit advanced. As you can see, by default,  the signature, the token signature failed,   which means we can tamper with this token, and we  can make changes to it. And we can authenticate   with it because it said, The OWASP juice shop is  is designed to be vulnerable. And this is where   you perform all of these tests. Okay, so when  it comes down to the payload, the most important   things are to look for the status, the ID and  obviously, if you can get any other information   in the data section, or in terms of the email and  the password, that's also very important. Now,   of course, it's not very easy to get a hold of  someone's of someone's token, but you can do   it but and then you are performing the penetration  test on the token, because if someone was to write  
02:13:47
in the comment section of this video, what it was  to grab the the authentication token that belongs   to Facebook lets you have access to someone's  computer for a few seconds. And as to get the   authentication token, what would I be able to do?  Well, first of all, you have to test the security   of the token. And I can guarantee you that their  tokens are going to be very well secured and   performing the penetration or the penetration test  on them will be a different ballgame. So we'll be   looking at changing them or or tempering them to  give us different types of access. We're going to   be talking about HTTP attribute attributes and  cookie security. I am currently running OSU shop   and what I did is I started a fresh new instance.  So I unzipped a new OSU shop. That's because I   wanted to start afresh Now, of course, in the  previous video, we looked at cookie analysis   and tokens. But now we're going to look at how  at the security aspect of how these cookies are   secured and how you know how cookies are stolen  and how these can be exploited with with with  
02:14:51
other exploits or functionality like cross site  scripting. Now you will get to what I'm saying   in a few seconds. So I have was used Stop running.  And I've created the same user and password as I   did last time. So it's a test@test.com, that being  the email and the password is password 123. Just   so you know. And I'll do that right now I'm just  going to log in, as you can see, test@test.com   and the password is password 123. So let me just  log in. And there you are. So I've logged in and   haven't solved any challenges. So when we talk  about cookie security, what do I mean? Well,   this can be done or can be inspected really  easily. Now, of course, for this, you're not going   to need any of the browser extensions or add ons,  because we'll just simply just be inspecting the   element here. So if we open inspect element and go  into storage, and we go into cookies, and select   the site, which is on localhost, you can see that  if I was to click on, for example, the token,   and we just look at the data, you know, that we  can see within the token, if we go to the HTTP  
02:15:58
only section here, you can see that that is set to  false. Now, what does that mean? Well, that means   that we can potentially exploit this cookie and it  storage location in the sense that it is it is, it   is not secured. Now, I'll get to why and how this  is happening in the in a few seconds. Alright,   so if the value is set to false, it means that the  cookie can be accessed and written to now how can   one use this, you know, for potential attacks,  or Cookie, cookie stealing, as we know it. Now,   if you are an advanced web application penetration  test, and you know about cross site scripting, you   know, that usually attackers will use cross site  scripting, to steal cookies, by sending you links,   that then, you know, by sending you links to pages  on the site, that you're already authenticated to,   that have the the the malicious JavaScript  code that will then send your cookie,   your authentication cookie with your token,  etc, etc, to their attack server. And from that,  
02:17:01
they can then use that to authenticate into your  account, it's not common, because mostly, the,   the cookies are usually secured. Now, you will  run into sites that have this and this is a very,   very big vulnerability in terms of severity. So if  you're a bug bounty hunter, this is in the medium   to low category, so not really a big exploit, but  still a very, very big problem that many, many,   you know, usually, I would like to say rookie  developers Miss, especially when dealing with   huge frameworks like node etc. I'm not going to  get too deep into that. So you can see that the   HTTP only is set to false. Now, what does this  mean? This means that we can use utilize a lot of   functionality to exploit or to display the broken  or even more to send this my cookie or you know,   my token, whatever you want to call it to a server  or to save it, alright, to grab it to steal it,   you know, simply put, so how can we exploit  this? Well, we can use cross site scripting,   and this is probably the most used method  for this. And to do this, we can simply,  
02:18:05
we can use any of the, we can use the search, or  we can use the contact. But I like using search   because usually it is unfiltered. Now, when I  say this, I'm you know, many of you will say,   Well, most of the big sites, well, I'm not talking  about the big sites, the big sites, obviously have   to take this into consideration. I'm talking  about sites that are developed by small teams,   they usually don't take this into consideration.  So if I was to just type in a simple cross site   scripting script that will essentially display  my cookie right now as I'm authenticated. So to   do that, I'll just type in script. And for  this, we're using an alert here to display   to us so alert, and we're gonna say document,  whoops, stop, sorry, document, dot cookie. And,   and then we're gonna just close the script like  so. So this will display our cookie to us. Not   really helpful. But you can imagine if we were  to have this permanently posted, for example, as   a post here, and then whenever we send that link  to someone, and they click on it, we can customize  
02:19:06
this JavaScript code to send their cookie to  our web server. And once we get their cookie,   you basically know what's gonna happen there. So  if I hit Enter to search, you can see that it's   going to display our cookie and our token, and  this is extremely dangerous. You might not get   the context, but I'll explain it in a second. So  essentially, this information can be passed and   sent anywhere across the world, provided that the  that your target clicks, clicks on a link in which   this, this script is executed. Now, the question  that you might be asking yourself as well, where   else can we post this in in sort of a malicious  way and I know that I sound malicious right now,   but I'll also get into how to mitigate this. And  again, mitigating It is really simple. Just set   your HTTP status or your HTTP attribute to true or  set it to on essentially securing your cookie now   You can see that once we have this, you saw in  the previous video, what we could do with such   information, and what info it contains in regards  to the user. And how we can, we can, you know,  
02:20:11
crack the password. But for now let's focus on how  this can be utilized to steal the cookie or how   attackers do it. So you can also get insight if  you're a white hat. So usually I can post this in   here, I can put, you know, I can type the script  in here. But this is not, it's probably not the   best way of doing it. Because you essentially  have to convince the user to go into the search   bar and type this in. Not really the best of ways  about going about going about this. So usually,   we look for a page that allows us to, you know, to  post our own stuff, or to save this to a database   or to save it to the website itself. So we let's  try contact us. Alright, so contact us. Yeah,   that looks like a good place to start. So in the  comment you it already added our author for so in   the comment, we can enter, we can end our script  in Yeah, and this will probably probably be saved.   But we have to test it. Now. Of course, the cookie  stealing JavaScript code is not something that I'm  
02:21:11
going to be telling you how to do, you can  probably perform a lot of Google searches,   it's part of the terms that I have to follow.  In regards to YouTube's YouTube's policies   about malicious content, and when what not,  so I'm not going to show you the exact code,   but I'll probably have it on my website, if you  want to take a look at it and experiment as to how   to send cookies to a another server or server that  belongs to you, for example. So to do this, so now   essentially, what I want to do is I want to save  this script, into the contacts section, because   I believe this is saved. If I looked, I looked at  the structure. And indeed, this is saved. So the   script is quite simple. So we can say, we can  give it a title because I know the feedback is   left like that. So we can say script test. And we  can close the script here. So scripts, but then we   have to include the the actual JavaScript code. So  yeah, so let's include this script within the main  
02:22:13
one. So script. And then once we close this one,  we can then use the other script. So your script,   whoops script in, you can copy this code if  you want. By the way, let me just zoom in,   because a lot of you had actually talked to me  about that, that you couldn't actually see the   code. So script. And now we want to bring up  the alert. Now, of course, as I said, this is   not really useful, because all you're doing is  displaying the cookie to the user themselves,   once they visit this page, so you probably  get the idea. So script, alert, and we are   just simply just going to write the document, of  course, it's all sending it to a malicious server,   what I would have done is I would have used the  document dot cookie, and I would have appended it   to be sent in in the form of probably a PHP file  or a PHP GET request to my server, and then my   server would log all of the information being sent  back. So that's the concept there behind so we can   then close the script here. And sorry, we have to  actually close the script. Oops, sorry, my bad.  
02:23:19
And then we close the script there. And finally,  we can close the final script ending here. So   script and there we are. And we can leave a  rating if we want to. And there is a CAPTCHA here   authentication 10 plus five. You You basically,  this is also an exploit here that you can enter.   Because if you look at this very basically, from  a simple perspective, the capture here is again,   is another false positive. And again, I know I'm  dragging this, I'm dragging it a lot. But But what   I'm trying to explain here is, if you are going  to, you're going to be performing a penetration   test on a web site, you need to understand that,  from the perspective of false positives, you   should not go after the big exploitations or the  big exploits first. Alright, so if I submit this,   as I know the structure of the OSU shop, this will  be submitted to one of the pages in which after   I click, or any other user who is authenticated  clicks, will will run that script, or this script  
02:24:24
and will the cookie will be displayed on the  screen. And if you want to manipulate or use   your own script to send the cookie to your server,  by all means go and do that. I'm not condoning it.   So that is 75. And I hit submit. And what nots  wrong capture 10 plus five, actually, 25. Yes,   brackets of division multiplication addition, you  guys must be thinking I suck at math. So that is   25 plus five, plus 10. Sorry, that's 3535. And I  submit that whoops, we have to actually type our   code back in Sorry about that, guys. So we can  just type in script, and we're simply testing   test. And then after this, we can close the first  one. And script here. Whoops, sorry about that my   keyboard is quite a distance from me. Alert. And  my spelling mistakes are really annoying script.   And finally, we can use the document. My God, man  my typing document dot alert dot cookie, sorry,  
02:25:30
we are we have already sent the alert, we will  use the doc document, that alert would essentially   display the entire webpage, document dot cookie.  And in here, we close the first script. And sorry,   the the initial script. And then we close the  last one year. So script. And we close that right   there. And finally, we can give this a rating and  resubmit. And that should submit it. I don't know   what the issue is here. And then there we are.  Also some Alright, so there we are. Thank you for   your feedback. So you did submitted there. Let me  zoom back out. Now, you can see that, where would   you go to launch the script? That's, that that  will be the question that you might be asking.   So on this in this structure, you can pretty much  experiment with all the other pages. And again,   I do recommend that you use you know directory  discovery tools, like there Buster go buster,   whatever is comfortable for you. So with this  in mind, if I was to just click on About Us,   you can see that that is where the the the  feedback in regards to contact is stored.  
02:26:36
So there you are, there's the cookie. And if  I was to if I was to have implemented a script   that would send the cookie to my server, once  I access to this page as an authenticated user,   it would send my my session ID all of that good  stuff to my web server, I now be able to crack the   password and authenticate with your account. As  simple as that without ever knowing your password   without ever trying to have guessed it without  without ever trying to have exploited your system.   I exploited the web application. And because  of the the ability of the developer of the web   application to secure the cookies, I was able to  get into your account and god knows what else you   can do in that person's account. And this is you  know, this is tribute to my all my Facebook hacker   friends out there who think hacking Facebook is  about cracking and brute forcing. There you go,   you know, web applications can can be cracked  in or can be exploited in different ways. Now,   of course, as I said, it's going to get really  exciting as we move along with Duchamp. And  
02:27:40
that's the reason I'm using it because it explains  how this can be done on a real website. And yeah,   we're going to be looking at OWASP juice shop. And  it seems to replicate what a real web application   would be a fairly poorly designed one. But the  thing I like about it is, it has varying levels,   levels of difficulty. And that's really,  really awesome. I have it set up on Heroku,   as you can probably see right over here. And that  works perfectly fine for me because I you know,   I wanted to set it up really quickly, I want to  run it on my local server, you know, using node   or Docker. That's really is, I really didn't have  the time to do that. But if you want to you can,   you can use Heroku. And it should be free for  you. So yeah, definitely go ahead and give it   a try. And you should have a an instance set up  for yourself. So you can go ahead and do it. And   it's giving us a prompt here telling us that  this website uses fruit cookies to ensure you   get the juiciest tracking experience. Now, from my  experience, I would hit accept the cookies because  
02:28:45
essentially, that's what keeps track of your  progress. And yeah, that's pretty, that should   be quite good. Now as for my browser, I'm using  the latest version of Firefox and I have you know,   plugins or add ons like cookie editor. And that's  pretty much what we'll be needing In this video,   I hope and we don't have the the proxies here like  sorry, Foxy proxy to allow us to use things like   burp suite or zap whatever you want to use. OK,  so let's get started. Now the first challenge,   as I believe is to get the the scoreboard and  we should start from there. And to do this,   I think I have done this already. That's really  very simple. All we need to do is well first of   all before we actually do that, the interface is  quite simple. It is a juice shop as you probably   can see and could have understood and they  sold juice. Now the great thing that I like   about OSU shop is that this replicates a real  life a web application with you know, security,  
02:29:45
misconfigurations, etc, etc. So if I log in,  you have your login page right over there, man,   you can create a new account if you want to, you  can search where the Contact Us page allows us to,   you know, essentially contact whoever is behind  the site. Then we have an About Us page. And   the thing I like about this is, as I said,  it replicates what I would call a real web   application. Now when you talk about, about the  scoreboard, I think that can be accessed really   quickly by going into scoreboard like so. So, you  know, we can just hit scoreboard. And if I enter,   that should give us the scoreboard. Alright,  so it gives us the notification once you've   completed the challenge, and the reason it does  this is to notify you of your progress. Remember,   this can be considered a capture the flag type  of challenge, but I wouldn't call it this I think   this is fantastic for essentially explaining the  concept here. Alright, so let me explain how the   scoreboard is essentially works. Alright, so  a scoreboard is as follows. Sorry about that,   if you had my phone, it always seems to do  that. So we have, we have the challenges  
02:30:49
sorted in terms of difficulty. So we have a  one star, two star, three star, four star,   five star and six star. And they all have  various challenges within them. So for example,   the the difficulty sought in terms of star so you  get the idea, one star is quite easy, two stars,   you know, not so easy, we have three stars,  things are getting a bit sweaty here, four stars,   now we're talking five stars, I'm banging my head  on the wall, and six stars, that's going to take   you probably a few, a few days, or, you know,  hours depending on your determination. Alright,   so you can see it also gives you the gives you  the challenge names here. So if I click on the   two star challenges, you can go ahead and look at  the challenges there. And we brought I think in   the previous videos, we covered a lot of the two  star and three some of the four star challenges   that we wanted to go through. So the three star  challenges are where things get really awesome,   because it does start logging in with other  users. And there's a bit of cross site scripting,   I'm not going to go through all of that,  let's start off with what we can do. Alright,  
02:31:51
so the first challenge in the first is access the  administration section of the store, or right,   so I'm guessing we have to try and log in, I  think I've done this, this is the first challenge,   we have to access a confidential document provoked  an error. That is not gracefully, very gracefully   handled, not to show that is let us redirect you.  I'll try and cover as many as I can. In one video,   we have cross site scripting attack. This was  simple. I think we covered this. So yeah, we can   pretty much run that in one of these right over  here. So script, and alert, as it already gives   you hints these are very, very easy. So I can  just say test. Have I given the OP Sorry, my bad.   So yeah, there we are test. And we close that up.  And we also close the script right over here. And   we hit Enter. And there we are. So that is one of  the challenges solved, hopefully did pop up there.   So if we go back to the scoreboard, it still  tells us for some reason, the web application is  
02:32:55
too low, it's not told us that we have performed a  reflected cross site scripting, all those I don't   know, right, so reflected. Anyway, we'll get to  that when we get to it. So if we inspect the login   page, what we can do is we can create a user. So  I'm going to create a user here. And I'll just use   a simple user here called test@test.com. And the  password or call that password. And I'm going to   repeat the password here. And I'll just call the  password password. And I'm just going to use name   of your favorite pet. And I'm just going to say  dog right over here. I'm going to hit register.   And we're going to save that. Alright, so I can  log in now. Did I log in with the correct test?   Yeah, there we are. And we're going to log in,  and we are logged in. Alright, so let me just   zoom out. So the interface does not really crashed  on us. Let me just get rid of that. All right,   so it's sorted out really well. We have the  language selector here your basket, which   essentially allows you to select your to view the  items in your basket, you then have your coupon  
02:34:01
if you want, if you want to use a coupon and you  have your checkout, which essentially I believe   takes you to the the OWASP juice shop, donate  page if I'm not wrong. Let's just see if that   is correct. Yeah, yeah. So if you want to support  the project, I would, you know, you can donate to   them. It's a really great project. I really do  recommend that if you can you do so. So you can   change your password, which is awesome. I think  we also took a look at this and how to change   it using using the GET requests. Contact us where  you can necessarily write in, you can contact the   person via the site or the administrator as I  would believe. You can comment, recycle recycle   what this requester recycling box so you can type  in liters here that has a selector. Alright, okay,   that's not too bad. We have a complaints board.  And the scoreboard itself here, which for some   reason, keeps doesn't really load. So let's try  and work on the first section. As I mentioned,  
02:35:07
I'll try and cover as much as I can here. And  you have the About Us here that has some sort of   Let's see some sort of checkout or boring terms  of views. Let me just check the scoreboard what   exactly are we supposed to do? Because access the  administration section? What's in the two star   here? login with the administrator. All right, so  we're trying to access the administration section.   So let's try and access that right over here.  So I'm just gonna type in admin administration,   like so I'm gonna hit Enter. And yeah, that was  pretty easy. And we get the email right over here,   admin and do shop. That's the admin email. And we  have all the emails right over here. So we have   you met juice, juice shop, Bender, and some other  uses. And we have also, yeah, alright, so we got   the registered users customer feedback, and the  recycling requests that have been posted so far.  
02:36:09
Which means you're starting from the basics.  So I think we can try and log in with admin,   but we don't know the password. So yeah, so I'm  just going to log out. And let's see if we can log   in with the password here. admin, I do shop, and  I probably I'm probably guessing we have to use   SQL injection. And in this case, I think I know  what to do, because I have done this before. But   it has been changed quite a bit since the last  time because I think in the previous versions,   it was with admin only, there was no domain  oza username, I'm not too sure. Anyway,   let's try and see if we can throw some  errors here. So if I log in, alright,   so that means you have to provide a password. So  let me just try and use the single quotation. And   let's see if that Yeah, it does throw an error.  And there Yeah, we completed the other challenge,   which you successfully solved the challenge error  handling provacan errors here. So essentially,   performing error enumeration, if that's something  you've never heard of, it's essentially where you   just try and see all the CE o 's fuzzing really  just throwing, you know, information at the  
02:37:14
system, seeing how it responds. And we get here  the query. So we are performing SQL injection,   because as you can see, tells us here we have  the the query right over here, which is telling   us select and what this is saying is select  all entries from the user table where emails   are equal to and we specify the single quotation.  And the password is what is this? This looks like   a hash? What hash is this? Let me just check. I'm  think it might be MD. Five, I'm not too sure. Let   me just check this hash identifier. And we just  paste that in there. Sorry about that. Let me   just paste that in there. Yeah, this is an MD  five hash. So that probably let's just see if   we can decrypt that or decode that. So I'm just  gonna say MD five decrypter, or something like   that. Let's just see if we can do this online  really quickly. Come on, come on. I want to see  
02:38:17
what error because that's, that's a password.  Let's decrypt that. And we'll for some reason,   it's taking too much time here. So yeah, yeah,  it's essentially hashing the password. Alright,   interesting stuff there. We actually now know that  the password is being hashed, obviously, you know,   with the Mt. Five, hashing algorithm or protocol,  whatever you wanna call it. So original. And yeah,   that is the query statement there. So we can try  some basic SQL injection. And some of the basic   ones to log into admin or to essentially log  into the administration, the admin panel is,   now the thing that's weird is are we going to use  the password do we're trying to get authentication   so that means let me disclose that. That means  if we just throw the error one more time,   or get the when you were able to get the query  here. So we are saying select actually start from   there. Select from users, so select all queries,  all entries from the user table, from where email  
02:39:24
use the table. So there's users Alright, so the  user, the user table as email and password, okay,   I follow now. So that means we can try we can  try, we can try and use the or statement here.   And probably we can use the not statement if we  are going to Yeah, that will make a lot of sense,   but we only using email so we'll keep the  single quotation. So what that means is,   is if you know about SQL injection, hopefully I  can explain what's going on here. So we know that   the password is being hashed, we're saying select  from the table where email and password. So that's   the statement. So select from the table for sort  of select from the users table where the email   and password is going to be equal to is going to  be equal to what we have entered. But remember,   the the password has to be has to stay as the  single quotation. So that means your we are  
02:40:28
going to be using the or so this is basic use,  you guys should be knowing this, but if you want   me to cover it, let me know so or equals or so or  one equals one. And the other ways of doing this,   I think I'll post a cheat sheet in the description  section, you can check it out for yourself just   to get up to scratch with what's happening. So  what we're saying is we're using the or the or   the syntax of or is very simple. It's where we  have the what's happening here is we're seeing,   we're seeing Okay, so if you know the syntax  for how a query is made in SQL, it's really   very simple. So we're saying select from, from  the table, remember, this is specifying a table,   not a column. So it says select from the  users table from select from the users table,   email password, so comparing and then we say  all the new specify the condition with a value,   we can enter our into fields. So we can say the  value of the email can always be changed. And we  
02:41:29
obviously know that that is the first account  that was created. And the password is going to   remain the same. So we hit login. And yeah, we  get still keep on getting an error here. Now,   that is weird. No, because if I specify there is  no comment here, or one equals one, yes. So it is   working. So you can see. So select from users,  where one equals one and password. Yeah, so we   want to nullify and password we don't want and  there. So for that we use the user comment here.   And there we are. Excellent. So we're able to log  in to the administrators use account. Alright,   so let me explain what happened there. So as I  said, the the syntax of the query was as follows   we're selecting from the users table, we're  selecting the email and password and comparing   them to each other. So they have to match show  up, you're performing a query, a simple query,   and what we said is, or that's a conditional  statement. So we're saying or that we specify  
02:42:31
the condition where the first value is going to  be equal to the the, the first one is going to   be equal to one, and we nullify the, the password  where the password was we're essentially removing   authentication. And we are what because we're  including the comment syntax for SQL. Alright,   so that was pretty simple. But now, the thing  that's bothering me is we don't have the   password. So let me just check the scoreboard.  And let's see what progress we've made so far.   So have access administration section that's  not in here that is in here. So log in with the   administrators use account. Marino the password.  So I think that's how we're going to be logging   in. We know the email, because if I just go back  into administration here, administration, I hope   the video is not getting too long. So we have the  admin. We have the admin email here. Um, oh, yes,  
02:43:32
yes, yes, yes, we have the token. So if we inspect  the element, and we go into the cookie editor,   for example, we can use that or you can just use  storage. But I should have done it, you know,   from the cookie editor from the beginning. So we  have the the token here. And I talked about this   in my other video actually went through this  with the token. So. So we're gonna say token,   I think the site was it's a JSON tokens, a token,  decode, and should be the first site here, the   JSON web token. So jw t.io. That's an excellent  site. And we talked about this. So if you want to   watch that video, I'll post it in the description.  So you can check it out. And the email is admin.   So that's the authentication token, and that  gives us all the information we need. All right,   so we have the password here. But again, what is  this hashed into? That looks like MD five again,   but let me just confirm, and let's see what  that gives us. So the password is hashed,   as we know with MB five, so let's just confirm  hash identifier, because there we are. Yeah,  
02:44:40
it is MD five. So let's just decrypt that one more  time. So I'm just gonna paste in that hash there.   I'm just going to decrypt let's give that a few  seconds. Oh, my God, man, all the traffic lights.   And let's hit verify. And yeah, there we are. The  password is I mean 123 Yeah, that's that's pretty   basic, but again, replicating common practice  that you would find. So what was the email? Oh,   boy, what was the email? Let me just log back  out. Correct. All right. So let me just use the   statements. Oh, yeah. So we're logging in. So all  one equals one, because we're all the waters the   I think we can access the the middle from the  administration. Sorry about that, guys. I know,   I'm getting really mixed up. Well, we're  not logged in yet. So anyway, let me just   log in. And we can do the administration here.  stration. And the admin I do shop at juice shop,  
02:45:41
a juice.up. Yeah, that's there to confuse  people. So you can guess it? And we're   logging in with that. And the password is  admin 123. We're going to log in, and yeah,   fantastic. So you solve the challenge password  strength. So that was the problem there. That's   the vulnerability that they're trying to say  exists. So you know, again, password strength is   something that people don't take into account,  login within message user credentials, without   previously changing them or applying SQL. Could  you have done this with SQL injection? Probably,   I'll have to cover SQL injection, because we know  SQL injection is one of those things that's really   dependent on the query. So let me just go back to  the scoreboard here. I don't understand what else   is left. There's still a lot of stuff that have  to cover. I talked about cross site scripting,   but I think I'll cover that in the next video.  We'll explain it again. What is the what is the   the confidential document error handling? Or we  don't have anything much they're actually someone  
02:46:48
else's basket? I did that. What else should I want  to cover here? Let's look at these ones right over   here. So yeah, so the authentication area here  is where I want to look at. I think that's where   I'm going to end this video. I know, I haven't  covered any advanced stuff. But hopefully that's   like an introduction. So where we, where we have  been able to log into the administration in the   administrators account, we are able to get the  scoreboard the administration panel, what else   were we able to do? We were able to provoke  an error, not saying no nothing really complex   there. And we were able to log in with the admin  tree at the administrators group user credentials.   Now we looks like we can actually get access to  Max's search original users credential so again,   another user that we can try and get access into.  Yeah, that's gonna be it for this video. Guys. If   you found value in this video, please leave  a like down below. If you have any questions   or suggestions, let me know in the comment  section on my social networks or on my website,  
02:47:50
and I'll be sure to leave your reply and I'll  be seeing you in the next video. Peace, guys.

DOWNLOAD SUBTITLES: