Ethical Hacking 101: Web App Penetration Testing - a full course for beginners

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hey guys hack exploit here and in this video we're gonna get started with the web application penetration testing series alright so a lot of you guys have been asking for this mostly because you want to learn the art of bug bounty and here is the series who have worked really really hard on you know making it as comprehensive as possible we're gonna get started with setting up burp suite so for those of you don't know what burp suite is burp suite is essentially an integrated platform for performing security testing of web applications all right so the first thing you need to understand is that it it will allow us to intercept the data being sent between your browser and the web application so it's it's a great way of understanding how data is being transferred and how data can be manipulative manipulated between the client and obviously the web application okay so the tool we're going to be using as I said is burp suite and I'm currently running pair to us so don't worry if you're running Windows or Kali Linux it doesn't really matter all we need to do is just download and install web suite it's pretty simple gets the setup you don't have to register you just download the free community version now obviously down the line you might choose to to buy the professional version which I do recommend and I have used but I don't use it as often I'm not as you know specifically a web penetration tester I'm more of a I'm more of an of a web server penetration tester so I really work with a different vector so by default you can choose to bite that's once you become experienced and you know you've chosen whether this is the path that you want to pursue it's a fantastic path I know a lot of people who you know make good money with bug bounties so you know it's something that you can look into as well alright so let's get started with setting up the proxy alright so this is the intercepting proxy that allows us to obviously to intercept the data being sent to inform the client and the the web the web application so to do that we need we can just do it through Firefox so the browser I'll be using is Firefox you can use whatever you want and by default you want to go into your preferences that can be found here preferences there we are and you want to go all the way into the bottom here that way it has the network proxy and make sure you go into settings and you want to go into manual proxy configuration alright so this is we're going to configure it to be the localhost with the port set at 8080 alright and then you want to make sure that this you use this server proxy for all protocols so that is the proxy we're going to be using and just hit OK alright and once that's done you should be good there now what you want to do is just open up burp suite so you can search for it or I have it already on my on my little taskbar here and I don't think I've updated it for a while so I'll probably need to do that later but for now I'll just close that the update prompt and it's going to prompt you welcome to burp suite and it's gonna say not depending on the version that you've chosen to select whether they have chosen the community version which is what I have here or the free version as it's called and you then have the pro version so by default the community version only allows you to use a temporary project if you have the professional version that allows you to save your project which is you know great functionality as well so just hit next and you just want to it use the defaults and just hit start back and just give that a few seconds to start it up all right and I'll explain the interface generally but we'll be looking more into how burp works in the next video I just want to get you set up with burp in this video and you understand what exactly is going on alright so welcome to burp now by default again it may seem a little bit intimidating mostly because if you're a beginner you have not heard of any of these of these words here and you don't really know what they are doing alright so by default you have your target proxy spider scan into the repeater sequence ID code a comparator your project options your user options and alerts we'll be going through all of this as we as we know perform real-world testing on our on our vulnerable on our vulnerable target I'll be showing you how to set up a damn vulnerable web application soon and many others but for now just focus on burp suite alright so by default you want to just go into proxy alright and for some reason I already have some data here so you know what I'm just going to leave that as it is I just want to turn or intercept off so we are not intercepting any traffic as of yet and you want to go into your options and you want to make sure that your proxy listeners as you can see but proxy uses listeners to receive incoming HTTP requests from your browser so you have to make sure that your proxy is set as the as the one we set in Firefox which is the localhost one twenty seven point zero point zero point one and the port is 8080 and make sure that that is running alright you can also create your own and add it here and you can also remove it so you get the idea now by default if I just go back to my intercept if I just go back to my browser and this is where the real magic happens if I just you know if I just open this and I type in a simple test site example.com and I just hit enter all right it's gonna load it up here but if we're going to burp suite and I go into HTTP 3 you can see that by default there are some are Firefox portals you know some get methods here but we'll be looking at all of these methods or requests by default you can see that the example.com the example.com URL that we entered you can see there is a get request and furthermore if you go down to the bottom here you can see there is some more information regarding what a request was sent to the web application or so by default you can see that the host was example.com and it gives you more information like the accept language the encoding the connection and if you look at the headers you can see that the the header shows you know very very clearly you have your get host user agent accept language they accept encoding connection etc etc so you might be a little bit confused if this is your first time hearing about you know headers and the request and response paths but don't worry about that we'll get to all of this for now if I just go back into intercept and let me just open up my browser here and we open something like the my website which is say a chestplate com so before we do that I just want to hit intercept on alright so it's going to intercept actively and we're just going to HS play.com and I hit go alright know by default is going to tell me that essentially that the my connection is not secure don't worry about this just go into your and just add this as an exception there we are I'm going to confirm exception and now it's still not going to load the website and the reason being is we've not for that at the request and they are being intercepted by burp suite alright so if I go into back into burp suite you can see that it has started the intercept process and by default you can see that we need to Ford we need to Ford the request here so if I just Ford it let me just fold that again there we are let me just for them for hack exploit there we are that's the correct one so I'll Ford this again and there we are so now Hawk exploit should be up and running and as you can see I should have loaded the site give that a few seconds there we are alright so as you can see that is how you intercept the data that is being sent from the client to the web application and furthermore that's how you you can analyze the data being sent and furthermore manipulate it to obviously find vulnerabilities within the web application alright so irregardless of all of this I know this was very very basic and it's not really covered anything in terms of web application penetration testing but don't worry about that you know we start off really really simple and we build on that we're gonna get started with spidering more specifically spidering with bev sweet and you know the purpose of this video or this tutorial is to help you understand the spidering process and how to go about doing it with a burp suite alright so there's gonna be a little bit of Theory here but I'll be explaining a lot of things so again this video is really focused on understanding spidering now before you get started with that I just wanted to let you know that the target or our web application that we're going to be targeting we're going to be attacking is the damn vulnerable web application now if you don't know what the damn vulnerable web application is that's fine you can just google it and I'll probably make a video on how to get it installed on kali linux but what i would recommend if you're you know begin or even if you're a professional in hacking probably one of the best things that you need to have you know in your kit is Metasploit abort - alright and for the simple reason that it contains first of and foremost a vulnerable operating system and secondly it contains all the vulnerable web applications that will be using at one stage during this series ok so we're going to be starting off with the damn vulnerable web application as I said it comes pre-installed with Metasploit able to so all you need to do is get the local IP address on your Metasploit able to virtual machine which in my case is 192 point one sixty eight point one point one or two so what I'm gonna do is I'm gonna open up my browser and I'm just going to open up that web that IP address point one point one or two and just give it a few seconds to load up as you can see there we are that's Metasploit able to and it's going to prompt us to select what vulnerable web app we want to use in this case we're going to select the dvwa which is the damn vulnerable web application so just click on that and now it's gonna ask you for your admin and password in this case for your username and password sorry about that in this case the username is admin and the password is password alright so just hit login and it's going to log you into the damned vulnerable web application now we'll be looking at this either more in a later video and the reason is we have to go through all of these options but for now if you go to the if I can just remember where it was if I can just go to the security so to the damn vulnerable web applications security at the moment it was high because I was actually performing some tests on it but just change it to medium or low but for now you won't be using it I was just letting you know what web application we're going to be using all right that being said let's move on to burp suite all right and we can I can start explaining the spidering process all right so let me just open up web suite so I've updated it to the latest version I think I'm running Catalan X now in the previous video I was running parrot so I think they should be an update but I could be wrong so let's just give that a few seconds to start up yeah there is an update so I'll do that later and we'll just click on create our temporary project and use the web default and start that okay so once that starting let me explain what spidering is right now the purpose of spidering is to identify our scope all right or what what we want to scan now this is not exactly scanning and we'll be looking at scanning but essentially a spidering is the process of mapping out our web application and it's very very useful for finding links and and web forms which is also very important because it will allow us to then furthermore attack the web forms manipulate headers etc etc all right now when you talk about automatic spider ring with web suite it's essentially when when burp is spidering it follows links and I it'll it'll start following links and we'll start identifying for files folders and forms from the web application and it'll the the great thing about this is it will record all the requests and responses while it's performing the dhole spidering process okay so once you have a burp suite opened up here you can let me just expand it so we have a greater picture of what's going on exactly sorry if my virtual machine is a little bit slow I need to configure it correctly anyway what you want to do is we have looked at the proxy check section let's look at the spider section and in here this is a very very simple menu and to understand it you can see that we have two tabs available we have the control tab and we have the options tab alright the control tab essentially if we just click if I just look if we look at it as you can see these settings are used to monitor and control the depth spider so it allows you to stop to stock and stir the web spidering and you can also clear the queues all right when you look at the options which is right here sorry about that when you look at the options there are a lot of options we'll be looking at them and we'll be looking at them in a second sorry about that I actually got an email apologies there let's get started now with the control section so the control section if the log we are able to control this by the status where we can stop it and start it and you know furthermore we can clear the queues that already exist there all right we then have despite the scope where we can we can define our own scope and depending on what we want to spider we'll look at that in a few seconds and finally if we look at the well if we look in the options section here we have the crawler settings which allow us to specify the way the spider is going to crawl for the web content on the web application we'll be looking at the maximum link depth and what that means passive spidering that allows us to essentially spider to continue spidering when we are looking through or we're going through the web application we're performing requests and responses when they're performing requests as for the form submission this is probably something that we'll be looking at in the next video and we'll be doing this practically we will be actually performing the we'll be performing this by drilling process but for now let me see what else yes the request headers the request headers are used to you can manipulate essentially the headers if you've learned about HTTP headers by the way I really want to cover HTTP because it's very important that you understand how the headers work but we'll be looking at this all in advance but now let's start off with the spider status not really the spider status but looking at the control tab if you look at the spider scope you can see that you can it'll use the default suite scope which is defined in the target tab if you just click on use a custom scope you can see that okay first you if you just click on this little cog here you can restore the defaults you can load your own and you can save the options so that's just to do with that now and you talked about using the advanced scope here's where you can essentially this is where you specify what you want to map so you can specify a host deport etc etc okay again we'll be looking at all of this as we move along but for now we're just going to use the default suite scope we can just if once you click on that is going to stop that the spidering process but we don't need it right now so I'm just gonna come just gonna pause it and if we move on to the options now the options tab has a lot of stuff that we need to look into first and foremost we have the CRO the crawler settings alright so when we're talking about the basic options so for example we can specify what the spider will crawl for so it you can choose to select for robot the robots.txt file which is very important because it shows you you know exclusions you then can detect you can ignore the links to non-text content you can request the root of all directories very important stuff but again you can customize this to your liking now one of the things I would recommend that you do not touch with if you do not know what you're doing yet is the maximum link depth rate the maximum link that is essentially the number of links you want the spider to to essentially to crawl or to to map now by default five is in my in my in my situation or in my case what I like doing is alternating between three to five anything higher than that will usually overload the web application and it will cause it to lag or to respond very very slowly and you know again that might not mean a lot right now but trust me when you'll actually be performing the penetration test on the web application you really need a good response otherwise you have your time to live that cetera et cetera okay so let's look at what passes spidering is all right so specia spidering and set is essentially just it allows you to continue scanning you know or going through or actually performing your requests how as as it it essentially allows you to us continue the spidering process as you're performing any other task so as you can see passing spidering monitors monitors traffic through the proxy to update the sitemap without making any new requests right so passively spied as you browse you can also select link that's associated with proxy requests now this out recommend keeping it at zero to two and that's because again you do not want a very very deep link depth in the sense that you're also going to be performing your own requests and you'll be doing many other things you could be looking at the decoder or you could be looking at you could be focusing on the target and you don't want it again to to slow down the web application alright so form submission again this is something that I said we'll be talking about in the in the next video because it is quite advanced and we'll get started with the damn vulnerable web application there moving on to the spider engine we'll be looking at application login as well but for now just we will just skip over that when we talk about despite the engine alright these settings are controlled the engine use for making HTTP requests one spidering all right so this allows you to change the number of threads you want to use and as I said using more than you can see right now it's at ten what our recommend is still keeping it between the range of two to five oh you might you might cause the web application to slow down and these are more advanced settings that you can use it dependent on timing all right and we've talked about the request headers they allow you to modify the way the spider will will look towards the web applications for example you could you could edit the the device that is being used and you could change it for example into a mobile device and you get the idea you are let you essentially allows you to to change the request headers and from that obviously you would get a response back dependent on what you changed alright so that was the spider ring or actually the theory revolving on spidering now we'll be looking at how spidering really works in the next video I know some of you may not like this that I actually went through your theory and I haven't talked about doing anything but remember it's very very important to understand what exactly is happening behind spider ring and in the next video we'll actually get started with the spidering process gotta get started with brute-forcing with all right so our vulnerable web application of choice is going to be the damn vulnerable web application as we discussed in the previous video all right and I'm gonna be using Metasploit able to as well as my server by default you can install Metis file you can install the damn vulnerable web application on your Kali Linux and you can host it on your local on your local server and you can you can then perform your attacks but I like running it from an another virtual machine and as you can see I'm running it on the Metasploit able to virtual machine and by default it's connected to my local network and it's bridged so you can see that my local IP address is 192.168.1.1 or two all right so I already have the damn vulnerable web application open as you can see it is running on to that IP address of the Metasploit able to virtual machine under the damn vulnerable web application so for those of you asking why I'm using Metasploit able to instead of Metasploit able treats because Metasploit able to has a a much larger choice in terms of vulnerable web applications and it's really good for practicing all right so make sure you're logged into your damn vulnerable web application you need the default username is admin and the password is password all right is really very simple all right by default in this video we're gonna set our security level to low if you don't know how to do that you can go into your damn venerable web application security and you can set that to low and you can just hit submit the reason we're setting it to low is because most logins are you know if you look at the real world if you're talking about big sites this attack may very well work on sites that are older or sites that have not been updated or sites that don't have good security you'll be shocked to find some really big companies that actually don't have any login protection or brute force protection for that matter now that being said what I was talking about is if we great the brute force you can see that we have a login prompt here now I've forgotten the username and password and we're going to be brute-forcing it alive all right but before we do that we need to actually start our bug alright so start up web suite and you can see I'm using the community edition and it is the latest version alright so make sure that yours is the latest version obviously for obvious reasons and we're just gonna start a temporary project because I don't use the pro version and we're gonna hit use the perb defaults when a startup alright give that a few seconds to stop the to start burp and now you want to make sure you you're using the proxy so we're going to go into preferences and advanced and whoops burp is opened up limit is going to my proxies network settings and we make sure that it's using the manual proxy configuration which is the localhost one twenty seven point zero point zero point one and the port is 8080 work on it ok excellent now we need to move into burp back again and we want to make sure that we go into proxy and the intercept is set to OFF alright the reason we're setting the intercept off is because I just want to show you something first now by default intercept essentially just means that you're not intercepting the request the requests and the responses being sent from the web application to your browser ok so we have already set the proxy for the browser but we're not intercepting so if we just test a random username like test and we say a password like 1 2 3 4 5 you can see if I hit login it's gonna tell me that that is incorrect now if I set the intercept to on to see the request let me just turn it on and we can now reload this so we can say test and the password 1 2 3 4 5 we can see that now it's for some reason let me just for that I'll have to actually just turn that off and we now say login and for some reason that is not allowing us because we have to reload all right so now if I hit intercept on and oops let me just open up my browser and they hit the post 1 3 4 5 login for some reason it's gonna you know it's gonna reload in here I probably there we are all right so I've reloaded the page and as you can see now the intercept is on and we go back to burp you can see that we got the get request being sent by the web application now let's inspect it for a while now we'll be looking at what all of this really means but by by default the most important thing right now is the get request all right so you can see that the get request has two values here it has the username and the and the password now that the values are again are not important we are going to be brute-forcing the values but it's very important to get the fields that we are using here now what am I talking about if you look at the cookie you can see the security is low and if you are to edit the value and for the package you can set it too high that is basic stuff that's kid stuff right but now we want to brute force this login all right and how do we do that you can see the first thing we need to do is we're going to be using the intruder alright so if you're a bit confused about what the in today is don't be worried the intruder is essentially a Lola allows us to edit the parameters it allows us to edit the requests and then obviously edit them and manipulate them so he can get the desired results now the great thing about the in the intruder is it allows us to perform attacks like the brute force etc etc alright but now what we need to do is we need to send this request into the intruder so that we can send our own response alright so we're going to right click and send to intruder so we just send it to intruder and once it's sent to the intruder you can just hit forward alright we don't need to India we don't need that get requests anymore so now you want to go into it the intruder and you want to go into your positions and as you can see in your positions you have got you have got the get request that we were we are just intercepted and now you can see something really interesting it's highlighted for you all the different payloads okay or the different fields that we can brute force for by default we have the username value the password value the login value we have the eff at the SF ID value we have the the cookie value no no no we don't need all of this the only values that we need are the user name and the password value so the most important thing you need to do right now is you need to clear just hit clear all right oops sorry not that clear I beg I know I beg your apology there I sorry I didn't mean that autumn rain you say is I'm sorry just clear just hit clear and as you can see now no values are being selected to be brute force against so now we need to select them manually but before that we're going to be using the the cluster bomb attack type alright the reason we're using the cluster bomb attack type is because we are going to be using two values we are brute-forcing against two values remember that okay and these need to be set in in combination so that means it's much better to use a cluster bomb because essentially your clustering two values that need to be there need to be tested against the login the law in application or the login form together alright so in a combination so we need to select cluster bomb and now we need to select the values because those are the those are that is what we want to brute force again so just highlight this value it doesn't matter the password or the username is just highlight it and you won't do it at all right so just hit add and as you can see we have selected that you know I'm going to the password and you want to highlight that as well and you just want to add that as you can see now once you have added that those are the two values were going to be brute-forcing against make sure that none of the others are selected none of the other values once that is done yo you're almost there now now you want to go into your payloads right now in your payloads you want to make sure that your payload set is set to 2 which is you're using him and your password so let's start off with your payload set as payload 1 alright as your payload type make sure that that is a simple list because you can see we're only targeting user names and passwords so we don't need you know run tanked file or we are not changing anything you know dependent on Unicode etc you get the idea ok so simple list and now you quaint your payload options which is where you select your user list or your password list or your word list now we are not using a word list but if you want to you can if you're performing this on a real site which I don't recommend unless you have written permission now since we're using this in our penetration testing lab we are going to just add the default user names and said the security of the site is low and it's not really a complex a brute force to crack ok so what we want to do is wait we want to make sure we have set payload set to 1 which is going to be for our user names so now we can go into load where you can load your different user names and your passwords or your word lists but by default we're going to add our own all right so we're going to say oops some we're just gonna say we're gonna type in and now like the commonly used user names alright so something like admin administrator oops for some reason I actually let me just remove these blank values their admin now administrator administrator let me just type that back in administrator like so administrator for those of you telling me that my tie things but that's because my microphone is right in front of me and I can't really see what I'm typing administrator let's see what else what are the default ones like we have root we have password actually we are not setting the passwords right now so we can just type in the default ones like this all right so we can say test you know the default ones user one whatever you think would be the most commonly used ones okay or if you know the user name is that is even better so we're going to add all the user names alright so we've added the user names that we want to use now by default again I'm saying you can use a word list if you want to just going to load and select the word list now we want to select our passwords all right so we can go into the payload set too and as you can see now we can add our own values now we can use the default word list that come with Kali Linux so if I go into my root and they're going to user share and we select word lists let me just find where word lists are if I can find them there we are word list and the ones that work great for me are in the Metasploit folder and you can look for the default passwords as you can see you have your database default passwords you have your default user passwords for services that's also great it has a great list of default usernames and passwords that you can use but for me I'm not going to use this because we are sticking to the basics not now you want to add your own password so we can select again some randomly you know commonly used passwords so puss you can say password let's see what else admin you know admin again whoops let me just remove that one admin root you can use root let's see let me think one two three four five that also one that I've seen many network administrators using one two three four five and you you get the idea alright so we've set our two payloads payload one is set for usernames below two is set for passwords excellent alright now we have selected all payload types we've selected we have added our payload options we don't need to look at payload processing that is advanced once that's done what you want to do is going to intruder and start the attack alright and now it's going to tell you that the community edition of burp contains a demo version but it's it's essentially telling you that the process is going to be slow alright so we're gonna hit OK and it's going to start at the attack as you can see it's going through all the combinations and as you can see there are combinations that we have here are 25 and it's going to go through all of them now one great thing that you need to do here or one important thing that you need to do is you need to understand the status codes that the server or the web application is sending back now that's a good way of in understanding what password is correct and what what user name is correct and what password is not correct okay so if we look now at the at the results as you can see that it's finished it's going through the brute force attack we check the status the status is still the same we have a status 200 if we look at the length all right the length is going to be still the same but you have to look for things that are not that are not matching so for example you can see that the length here that was returned was 49 48 and it's not it's not following the format of the others so that means that this could be the username and password don't worry about the status the status will still remain the same regardless of that but when we'll be looking at advanced server penetration testing that's something important so you can see that they get that we've got here is very important now if we look at the if we look at the response that will be sent right there you can see the the response and if we render it you can see that if it was successful it will tell us that we've logged in successfully so let me just browse down all the way as you can see welcome to the password protected area admin and there you go that is the username and the password it is admin and password now again this was really simple again you can you can increase the security if you are practicing on your own but you can see that this really works and this is how to utilize Bob for advanced stuff like brute forcing now again most of the advanced websites nowadays have great content management systems that have the security plugins that essentially prevent you from brute forcing or lock you out but most of the older sites you'll be you'll be actually quite shocked to find out that their brute forces did their login form sorry are not protected now we have already logged in and we can see that the default username is admin and the password is password okay so you can look at the row the Royal ctp here you can the request and the response you can look at them and you can inspect them if that's what you do and you can look at the headers what's being sent all that good stuff but that was going to be it for this video and now if we just go back into burp let me just go into my proxy and I'm going to disable intercept and we can try and log in here so we know that the admin the username is admin and the password is password so let me login and welcome to the password protected admin area fantastic in this video we're going to be looking at selecting our burbs with our target InBev sweet adding it to our scope and then finally spidering it as my vulnerable operating system I'm going to be using the Mattila day which comes pre-installed on Metasploit able to so you should download well I would recommend that you download Metasploit able to it's a fantastic option for any of you who are just getting into penetration testing it offers multiple vulnerable web applications and vulnerable systems that you can practice with so again it's something that I really really recommend that being said as you can see I have met the Metasploit able to virtual machine running and I have already looked at my local IP address you can do that by typing in ifconfig that will display to you your your current and network interface and your local IP address because we are doing this in our virtual penetration testing lab alright so let's go back to Kali Linux now and I'm gonna open up my browser make sure you get your IP address and as I said again we're going to be using Mozilla day so if you don't know what Mattila day is Mattila days simply a vulnerable web application and the reason i'm switching off i'm switching from the damn venerable web application is because i want to show you a few i really want to make it a bit diverse in terms of the web applications that we use all right so let's get started now now I already have the IP address of my virtual machine opened up here in my browser as you can see one ninety two point one sixty eight point one point 104 so if I reload this you can see that it indeed is the Metasploit able to server and I can just go ahead and click on motility alright now what I should do now is going to my preferences you can do that by opening a new tab so let me just open a new tab here going into preferences and then selecting advanced and network and finally settings and then you want to make sure you select a manual proxy configuration and then make sure it's using the localhost proxy which is one twenty seven point zero point zero point one a port 8080 and hit OK once that's done we know that web suite can intercept not that we want to do that in this video we just want to we want to have a look at we want to map the web application all right so we're not going to change anything in motility but I'm gonna be showing you some pretty interesting things in this video so now we should start up sweet community now I'm gonna be explaining something at the end of the video that is really important and it is in regards to the community version and the professional version of web sweet and what what the differences are and why you will need at some point to get the professional version ok so I'm gonna select a temporary project I'm using the community version as of right now hit next use the defaults and I'm gonna start bub all right so it's gonna start burp suite and then let me just minimize the browser here so give that a few seconds to start up and once it starts up what you want to do immediately is turn off the proxy we want to stop the intercepting because we are not intercepting any requests or we are not inserting any responses so go back into your target and now we can get started with with actually reloading the page right here so let's reload that and we should be able to see what's going on and we should have the sitemap alright so let me just open up the web suite here fantastic all right so now you can see something very interesting as happened here in our target and sitemap we have the files that were discovered here well essentially we have the web server that then has the motility folder which is our target now before I get into any of that the sitemap will show you the current site map of easly a sitemap is essentially sorry about that the site sitemap is essentially the structure or the format of the web page and how the web page was constructed and how it will function in regards to every other piece of content okay so the first thing that we need to do or we'll be looking at is actually selecting your target which in this case again is Matilda day and you can do that by right clicking and hitting add to scope all right so you might be asking what exactly the scope means well a scope essentially allows us to define our automated spidering and what this means is we are focusing our only on our target we're not going to focus on the reference links like you can see here for example we have two it as a reference BACtrack dynamic drive eclipses etc etc you get the idea so scoping is essentially selecting our target isolating it so that we only see what we need to see and there obviously the results that we want to see so I'm gonna right click on Mattila day and I'm gonna hit add to scope alright so now it's going to say you've added an item to talk to the target scope do you want but proxy to stop sending out scope items out of scope items to the history of the other bug tools yes again we want to make sure that we are we clear out all the junk that we don't need now you might have noticed well that's essentially happened but nothing has really changed and as you can see it's gonna tell you here logging of out of scope proxy traffic is disabled don't worry about that just leave it as it is if you want to re-enable it you can go ahead but right now you don't need to do that okay so we've looked at how to add our target to the scope no let's look at spidering spidering is essentially the the first and the most important step of web application penetration testing all right it is it deals with or it is in it is in relation with footprinting and this is why I bring the comparison from penetration testing to obviously web application penetration testing it is to deal it essentially deals with crawling through the website and then it records all the files the links and the meta methods that it can get and that helps us build an idea of how the web application is structured how it works and then finally we can learn how we can break through it what we need to do is we need to spy that our target we have added it to the scope which is great and now we need to spider it so what we're gonna do is we're gonna we're gonna use spidering and this will help us identify all the links and the parameters that we need again as I said it's like footprinting so what you want to do is right-click on your target which in this case is motility and you want to it spider this branch all right so I'm gonna it's PI to this branch and now something interesting is going to start happening as you can see it's gonna start getting all the links all the resources that it can and it's gonna keep prompt you with here a submit form okay now what you can do is just ignore the form there'll be quite a few essentially these are default login forms where it's asking you to enter credentials that you might want to enter let's say you you're performing white box penetration testing and you have the details you can again log in like this and perform internal penetration test but we're going to assume that you do not know your penetration you're essentially performing a penetration test on these security so I'm gonna ignore all of these forms okay and as you can see there's another one right there and the spidering is probably continuing now if you want to view the status of this spy drink you can go into spider and as you can see you have your status of this spy drink and once it's done you'll see that the requests made will stop changing and the bytes transferred will also stop changing so we can stop the spider now you notice something that we were faced with those form login prompts now you can choose to to enter them as it prompts or as you are prompted but the better way of doing this is to actually you can actually do this automatically and you can do this by going into spider and you want to go into options and you want to go in to your application login all right now if you look at the form submission it is essentially what it's doing is it's going to use the default form submissions that you would find in a database so for example you have mail first name last name surname name address you you get the idea so those are default values that one would one would be expected to find now we're looking at the application login as you can see it's option is set to prompt for guidance we want to change this so to automatically submit these credentials now in here you can enter default credentials or if you have an idea of what the credentials you might expect to find now this is where creativity and sheer information gathering comes into play so if you anneal the default you know usernames and passwords you can enter them here now what I'm going to do is I'm going to enter a string that is well I've used it before in performing SQL injection and we'll talk about SQL injection because it is very advanced if you know SQL injection or you have a you have an idea or experience with the databases you might understand what this string means all right so for my username I'm going to change that to admin a quotation mark and you say or one equal one and two dashes all right space and attach now you don't need to worry what this means for now please do not stress about this I will explain it when the time is right all right so leave the password as it is and don't worry about that now we don't need to change anything in terms of these tabs we talked about these tabs in the theory section and now we can go back into our control and Target and finally we can spider the application again once more so that we can enter the we can essentially process these strings that we that we just entered in terms of the user name so I'm going to right click and spider this branch okay so it's gonna start spidering and if we look at the spider you can see that the the spider ring is complete and you can essentially clear the queues if you want to clear to clear them like so and you can keep on running it depending on what you want to do okay so I'm just gonna pause it and now we have essentially spidered the web application and you might be asking well hmm I've seen a few reference sites that's not helping much you know we don't need twitter.com or you know sizzle J's this might give us a basic idea of what types of sites are linked to to the web application but in reality you can see we have hackers or not not very important information at all now what if we click on the mutilate a folder oh look at that that's really interesting now that is very very important what has happened here is it's given us the structure of the web application this is vitally important all right now again as I'm saying you can look at how the web site or the web application is structured so in documentation you can see you can go ahead and read the documentation you can look at the images that the web site has these styles so you can inspect the entire site and understand what exactly is going on here or get an idea of what the person who developed the web site was thinking and then finally out of experience or as we'll be looking at out of knowledge you can actually understand how to exploit the system and that's we will be talking about discovering hidden files hidden files like admin pages login pages you know that really juicy stuff and we'll be talking about that in the next video and that's because the suite Community Edition does not or have allow you to use that feature so what I'm gonna do in the next video I'm gonna be using web suite pro and also show you an old alternative program I'm sure you've heard of it that also works from Windows of course above so it works on Windows but I'm not really a Windows fan when it comes down to penetration testing so that being said we have essentially spidered the application we have the structure of the web application and now we need to look at something also very interesting as we have already talked about it let me just complete let me just show you how to get rid of all of these reference links and to essentially show the items in the scope only so what you can do is just click on filter right here this little bar here is the filter bar so click on it and it's gonna bring up this small little window and you want to focus on the filter by request type and make sure you check show only in scope items this will essentially filter all the results to show you only links or resources or files that are within the scope so once that's done just click back on the filter and as you can see it has got rid of all the junk that you do not need whatsoever and now you can essentially look at the the requests and the responses and analyze them accurately defined to your scope and this will essentially it will stop confusing you I've seen many beginners make this mistake where they don't define their scope they do not know what their target is and they're getting links that are do not even relate to the website that they're they're trying to perform the penetration test on now since you know this knowledge this will help you get a solid foundation and again you can start logging out of skip out of scope proxy traffic when you want again that's very nice that they add that button right over there all right so now you only have the files that you require or the files that you're currently performing the penetration test only now I know this this video was slightly either there was not a lot of action but again it is very important that you get this in the next video we'll be looking at how to pull out to discover hidden files or files in general that you are not supposed to find okay and that can be done by right-clicking and going into engagement tools as you can see it is defined to the professional version of web suite and we will going to discover content where I'll be explaining to you how to find things like the login page or the configuration page some things that web developers you know actually just may try to hide them but if if actually found can really exploit the website or can lead to the exploitation of the website we're gonna stop looking at how to discover hidden files but before that I just want to take you through a few things all right so let's start off with what Oh a space or OWA SP all right so what does that mean well essentially what it means or what it stands for is the open web application security project all right and it's goal well essentially it is a nonprofit organization whose goal is focused on improving the security of software all right so it's job is to improve the security of software now this project the OWS P or the open web application security project created a tool called as the Z attack proxy or as you know it these app many people are calling it zap and I'm sure most of you have heard of it and you might have been you might be leaning towards bub sweet a little bit more but I can guarantee you that zap is one of my favorite tools and I use it because firstly it's free and for the people like for the students I teach I usually tell them to start with zap because if you get zapped you'll automatically get web sweet and you only need Bob sweet when you're moving into an enterprise environment where you know bub so it is the recommended tool and it is the tool that you must use to adhere to to certain rules and ethics that being said zap is a fantastic tool it's absolutely free as you can see the OWS pz attack proxy which is you know abbreviated as Zack is one of the world's most popular free security tools and is actively maintained by hundreds of international volunteers all right so it helps you find security vulnerabilities in your web applications while you're developing and testing applications so again if you're a web application developer this is also a fantastic tool for you and as I said it's going to be a fantastic alternative to - burp suite all right now that's not to say that burp is bad burp is more of a Enterprise enterprise develop software as I've mentioned in different in the first video of this series burp is focused on professionals now that's not to say that zap isn't but you'll get the idea all right so I'm gonna be making a separate video on installing zap and I'm going to make a video on how to get accustomed to the interface because it is slightly different and the language or English used for the interfaces again very well I'll not say very different but it is quite different so again getting used to it was also something that is quite helpful because we'll be needing some of the enterprise features and only a tool like SAP will be a great alternative however if you do have burp suite pro go ahead it'll it'll just be the same thing as I mentioned in the previous video it's really very easy to to follow up where we left ok that being said it runs on the same network proxy it runs on the local host so make sure you're running it on the local host and on port 8080 I'll be showing you how to change the port if you so feel you want to that's also another great thing about as a SAP is it allows you to change the proxies so I have more Tilly they opened up here and it is again running on my Metasploit able to virtual machine and it's running on the IP address my local IP address 192.168.1.1 o4 as you can see more till the day all right so that's working perfectly so let me just leave those other tabs open because again there's no there's no real harm ok so again you can configure the material a security level if that's what you want you know to to make things harder but I'm just gonna be showing you the focus of this video which is how to find hidden files now you might be asking why do we need to find hidden files or why do we need to discover these hidden files well hidden files firstly are the files like admin login pages you know maybe a robots.txt but that's not really something that's hidden nowadays it could be a text e containing maybe usernames you know something really weird or I you know pardon my English or pardon my language something dumb that the web developers left behind or you know just not configured correctly and you'll see what I mean in a few seconds alright so again these are the files that are hidden and you will not find them after spidering your web application or website alright so let's get started with zap as you can see at the logo right here on my it's added to my favorites let me just launch it give it a few seconds and it should start up there we are these up give it a few seconds again and make sure you update it usually the updates for the modules vary regularly so make sure you update them to the latest version as they improve the speed and a so on and so forth all right so it's gonna prompt you here do you want to persist the SAP session that means do you want to save this SAP session I don't I do not want to persist at the session at this moment in time so I'm great start again don't worry if you're not familiar with the interface I'll be going through it in another video because it deserves now you might be a little bit overwhelmed but do not worry do not stop going to you know URLs to attack that may seem really really tempting but again you know let's take it nice and easy so let's talk about the proxy how to change the proxies so to do that you can go into your right here as you can see or you can go into tools and go into options all right but I like going into this little cog here and once you press on once you click on the COG let me just enlarge that you will see that you have this huge menu and again as I said Zapp is a really advanced tool and in some cases can totally replace burp suite now looking at the proxies you want to go for the local proxies right here it's obviously starting with L so local proxies and make sure that the address is hosted on localhost and you can change the port if you're using burp suite and stuff like you're just if you're using both the applications at the same time or you're running something on localhost already so you can change it to something like 80 81 whatever you feel is comfortable for you ok so that's how to change your proxies and if you're running behind a NAT you can also check this and you should be good there if you don't find that the proxy is working suggest it ok all right now you see that there's not we are not going to be looking at intercepting right now but we will be looking at that in a few in probably the next videos the advanced videos with SAP alright so let me just reload the material date page and as you can see I'm running the proxy so I'm just going to reload the page and as you can see we are not intercepting actively so whoa what's this well we got some files here let me just reload the page one more time and there we are we are getting some results so we get the IP 192.168.1.1 o4 that's the server and we just click on this drop down here we get the get request so you can analyze the get request if that's what you want so you can right click and then analyze all right no will will not be looking at that right now because I won't focus on finding the or discovering the hidden files so what we'll do is we want to click on the motility folder now one of the great things I like about sap is it already gives you the file structure or the website structure immediately here alright so you can see you have your images folder which has its the images there your JavaScript styles and all the resources are in regards to the website that it could find naturally all right so if we if we just look at the bottom here you can see that it it's showing you a timestamp with the method that the URL and it gives you the the code which means the pages in this case the 200 code means the page was found you have the reason you have the rtt Desai's the alert as you can see it's telling us we have a high alert here now don't worry about that again these are things that you know will be will really be tempting but again let's take it slow all right so the first thing you want to do or you need to do is to right-click here and you want to go to attack and hit spider all right so we want to spider the website of the web application and start scan' do not touch anything here just make sure it's using the appropriate server address and just hit scan all right now it's great to spider the entire web application it's going to give you a little progress bar here you can pause it or stop it which is also great to see at the bottom you should have also noticed that you have your tabs here that work really really well and as you can see the the website now is completely spidered and if we just check all the files that we can't find now you can see that we have some more JavaScript files and essentially what's happened here is the entire site has been has been spotted ok now we already did this with bub and the you know you probably really bored of this right now so what we're gonna do now is we need to we need to start discovering the hidden content right so let me just close all of this up there we are fantastic now let me just open that up and let's go to Mattila day oops my bad sorry about that guys and we want to right-click on Mozilla day and you want to go to attack and you want to go to forced browse directory and children that's very important for browser directory will not display everything we'll also be looking at fussing but that's for later all right so you want to make sure you hit force browser directory just click on that and it's going to open the up this tab here so you can see we had despite the tab open which you can close if you're not using it which is also great I really like the management of SAP you then have output for four outputs alerts as you can see you have some alerts here that I will alert you on some potential vulnerabilities so for example application error disclose you have some cookies no HTTP flags so again awesome stuff there we have the get request all that good stuff which is again focused on a different type of attack and as you can see by default we've got the robots.txt here which you can analyze if you want to buy rare clicking and going ahead and doing that so you can copy the URL to the browser so again copy the URL to clipboard alright and if we just try and explore this let me just paste them to go here as you can see well for some reason we are not actually getting robots to txt let me use the motility motility or actually you know what let's not do that right now because I really want to stay on topic here so I'm just gonna go back into that again I always love going off to put forth topic for some reason ok so make sure you click on motility and you want to right-click on it and now oh sorry we already did the forced browser right click go to attack and forced browse directory and children all right now it's going to open up this tab here and it's gonna it's gonna make you choose this site as you can see you have your site IP here now you need to select the default directory list - it's going to use this list here this default list that comes already with zap and now it's going to try and use it in a sort of a brute force way to try and detect the hidden files and folders and once it gets the results it's going to enumerate them ok so now you want to right click again on it after you've selected the list and hit attack and you want to go to footballs directory and children and once you hit that it's gonna start the process now again this is going to take a long as well not a long time depending on this the the size of the website if the site is huge then again it's gonna take a while and as you can see immediately we're getting some submitted files so let's let's wait for this code to complete and I know motility has some very very interesting files here that I'm sure we'll be happy to get alright so just a let let it go through this as you can see you can check the progress as you're going here and again that the if you look at the status code you can see 200 means the pages were found so you can just go ahead and look for things that are irregular and I'm sure we can find something here that we haven't found before or you can look at the at the file form the website directory here so um motility let's see if we can find something that is really really interesting here so we have the includes you have the get indexed of PHP they get requests sorry for the index dot oh we have something interesting here we have a notes folder AHA now we're talking now this is where stuff gets really exciting alright so we have our ups where'd it go there we are so in in notes we have some very interesting files in notes so we have a get passwords now what happens what's this about alright so what if what what if we just open this URL in the browser alright so let me just try and open that in Firefox I just want to see what it's gonna be all about so hopefully it's opened up in my browser if it's not I'll have to copy the URL probably because I haven't set any any default all right so copy or else to clipboard and let me just paste that in there please don't go there we are motility and passwords all right so you can see that this folder or this file was hidden and we have interesting txt file here which again is quite scary to go we did open Firefox well don't doesn't look like we need that instance so getting back to the topic here for some reason process unexpectedly closed with alright so that looks like we have a Java error there so let me just go back in over here so again we found an accounts dot txt file what could that be carrying let's click on that oh boy so again we have accounts here and well I'm pretty sure you would know what this means this is just bad practice from the website developer where he wrote notes and essentially these are the accounts now let's see what else we can find let's see accounts nothing interesting in accounts because we now have the account so that makes our brute force much easier you then have let's see if we can find any passwords if they were ever saved here I'm pretty sure they are not but we can look for some interesting files here that can be really interesting you can look at the site map if you want to so let's also copy that let's see if it gives us access to the site map also very very important stuff there oh yeah so the site map for some reason we were not able to process it all right let's look for some other files here let me just open that utility again so we have the get images let's see if we run the get images let's see what images we can get again I'm going pretty amateurish on this I'm just clicking on everything but I'm just trying to show you the amount of files that you can find as you can see immediately you can find that the refresh button you know all the icons related to the website you have the i hack banner oh yeah hackers for charity man so I'm talking about YouTube oh my god what an old logo that is yet the OWS P logo pretty cool pretty cool and yeah so you get the idea so this is how you actually go through website and find files that could contain you know stuff that is quite interesting to be honest so let's see what else we can find I'm just gonna go to one more resource here that we've found oh we have to get register Wow now that's what I'm talking about copy URL to clipboard that's actually this is actually quite fun this why bug bounty hunting is oh yeah now this what I'm told we can actually register our we can actually register ourselves on the website now again looking at the website from here doesn't look like we can can we even register on this website I'm not sure it can for some reason it's not actually letting me scroll to the top but hi I don't really know what's going on there so let's see if we can definitely log in render and register sorry about that we can register there so yes it is the register it does exist so that wasn't actually hidden but it was hidden it was hidden to the woman when we spied at the website so that means indeed it was hidden for obvious reasons because the brute force for example if you find the login which is again here and again if this is hidden you can imagine the damage that you can do so again you can login from there set up database now that's interesting for some reasons not letting me copy alright so looks like we got set up database here so here we can okay I do not want to manually edit the request no I do not want to manually edit the request for some reason my keyboard is being pressed here wow that's weird man copy or else to clipboard alright sorry about that my spacebar was being mashed on by my tablet in front of me right so let me just there we are so no PHP MySQL errors were resetting so I simply reset the database and you can see the damage that this can do so again that is some good stuff that you can have fun with when especially with motility you can increase the security and find what other files you can you can find you know with Zapp again Zapp is a fantastic alternative that you can use if you know if you're not ready to invest in web sweetie that's totally fine I used as app for I think about three years especially since 2014 I think I used it until about I think twenty sixteen or seventeen I'm not too strong and it worked great for me I really enjoyed it and I'm just getting back to I'm just remembering how all the tool used to work it was actually quite a user intuitive interface because I just remember right-clicking means you can copy the URL you can inspect it you can change the request you can attack all that good stuff and you know it's sorted out really well alright then you can look at the requests here you can change them to whatever you want and then send them you can intercept them it essentially does whatever Bob sweet does we're going to be looking at application firewalls or WAAFs as they're called now this may be a new term for you and do not worry this is now when we move into a more professional level and again this is what I've been talking about is most people out there or most documented documentation out there won't cover the most important industry standards you know now when I'm talking about web application firewalls what I mean is is these are the protection or these are the mitigation procedures put in place to protect a web application from attacks obviously now as a penetration tester or if you're looking at it from a white hat or a black hat perspective from white hat perspective it's always important to have a Web Application Firewall and I'll probably make another video showing you how to set it up it's really easy and it's free and it'll probably remove about 20% of attacks ok so that's if you're a white hat now if you're a black hat and you're targeting or you're performing a penetration test legally on a web site or web application usually what the employer will tell you is they'll give you a scope of the project and again they might give you the source code etc etc you get the idea you have your white box testing black box and gray box but coming back to the firewall most of them wouldn't know that there is a file and that's because the person who set the website up for them in terms of hosting or the web application for them will in most cases on a professional level have a Web Application Firewall now you might be a bit confused and you might be saying well why is this important when performing a penetration test well this is important because firstly it's something that most pen testers overlook and if you know this you've got an ace up your sleeve all right so essentially what's happening is if it's being used if a web application firewall is being used you obviously first need to detect it and I'm going to show you how to detect it in this video using a special tool that I don't think you've ever heard of but it's also industry standard so this is a really secret I don't know for some reason it's not just it's something that just hasn't caught up yet but hopefully after this video you know about it all right so essentially the purpose of a web application firewall is it protects the web application you know from a firewall point of view in the sense that it blocks attacks as a one would expect them to come now what does this mean for you well this means that you will need to in you will need to manipulate any type of data that is going to be encoded all right so what this means is if you're if you're performing a penetration test that involves you manipulating data and sending it back to the web application then you need to encode it in a specific way to bypass the firewall otherwise it will be blocked by the firewall and I'm sure most of you have actually done this before if you're just a mature penetration testers and you've just begun you'll find that for some reason your requests aren't being processed and that's because they've there is a firewall set up to prevent these malicious requests from being processed okay so again Web Application Firewall is really really important now looking at the tool we'll be using the tool has actually a very very funny name if for some of you might find it hilarious it is called wife wolf now for those of you have heard of it you pretty much already know how to detect a web application firewall but it's really very very simple all right so just open up your terminal and what you want to do is you want to type in wife wolf all right so this is how it is going to be spelt so it's worth wolf with a two with two zeros and the syntax is pretty simple if I just hit enter as you can see wife Wolf's a web application firewall detection tool all right so credits go to the author it's actually it's a tool that's been there since the I think almost the last version of backtrack and the first version of Kali so again quite an old tool I when I say old I mean you know I mean that with respect given the fact that it's really really useful and I've used it a lot because it saves you a lot of time and what I'm talking about is so let's say we want to scan a website okay in this case I have my WordPress server running here and as you can see it's the site is being hosted on one ninety two point nine sixty eight point one point 101 all right so I have that IP opened up in my browser and as you can see it's a wordpress site and this site is vulnerable and this is what we're going to be performing later on the penetration test but for now we want to find out whether it has a firewall now by default I know it doesn't have a firewall but let's see what waffle foot tell us all right so the syntax is very simple as you can see you just type in wife woof and you enter your URL or your URL so you can enter as many as you like okay so it'll give you an example there how to go about it make sure you enter your HTTP or HTTPS protocol and we just let's try that out so laugh wolf and we specify our protocol HTTP in this case and the IP address 192.168.1.1 oh one alright now in this case I'm pretty sure that it won't detect any web application firewall so let me just hit enter and as you can see no web application firewall detected by the generic detection all right now this is very very advanced and this tool is an industry standard and if it does tell you that there is no web application firewall then by all means I can guarantee that it does not have a firewall now let's look at one of my sites that I currently own it's a site that I use it's actually my web development company that obviously we use for web development now I've protected this site with a web application firewall provided by cloud fair now for those of you web developers and when you're performing your hosting you know that using cloud fair is awesome because it allows you to optimize your site for speed it allows you to purge assets and make your site faster protect it and again protected from DDoS attacks etc etc all the good stuff so let's see if it will actually detect this so I'm going to type in wife wolf I know that name is really really funny the protocol is HTTP HTTPS like so and I'm going to specify the site which is elkhorn studios.com alright el cajon studios.com and if i enter as you can see it's gonna start checking the site give it a few seconds it shouldn't take any much you know a lot of time and as you can see the site Algren studios.com is behind cloud fair all right now what this means is that most of the most of the attacks that involve manipulation of data will be in some way blocked and you know you won't get your response back the way wanted it and the render wouldn't be the same all right now again as you can see it's detected that it is behind a Web Application Firewall now the next step is how to encode these how to encode and code iam your requests that you're going to be sending to the web application and that's what we'll be looking at as we increase the security level using the determinable web application alright so I thought this is something that I really need to share with you again it's going to really help you and I promise you this is something that you know if you go for a job interview or you're performing a penetration test for a company this is something that most of the network or systems administrators are very keen on they want to know whether you really know your stuff and whether you're really up to date with how to detect first of all because information gathering is really important and as you can see this tool is fantastic and once you know this a firewall you then have a better idea of how to target and you won't be wasting time again that's something that most of the amateurs or beginners do they waste a lot of time trying different commands that they've seen but if they find it under they see that it doesn't work and they're like how's this possible am i doing something wrong the truth is the web application is probably well protected so again you know do not use this for any malicious purposes again this is simply an information gathering to I'm gonna be showing you how to use the Buster to discover directories and files on a website or a web application you might be asking yourself what is the Buster or if you haven't heard of the Buster let me explain it to you alright so there buster is essentially a tool that was developed by OS the open web application security project and essentially uses a brute forcing to find commonly used directories and file names on servers all right so this tool is extremely useful for those of you who are doing CTFs or for those of you who are bug bounty hunters because essentially it allows you to understand the structure of a web web application or a website in terms of the files and directories and how they are structured alright so why is this important well this is important because this will help us understand how we can attack a site or what type of attack vectors we can we can we can find you know so for example if I had a web application and I'm going to demonstrate that right now and I scanned it with the bust and we found some hidden directories and hidden files we can use these as attack vectors all right so as I said it also allows you to find hidden directories or files that hidden from the public so this can also lead you to to finding additional resources that could have been hid in a way by the devs that like for example admin pages etc etc alright so how does it work well really simply once you start up the Buster and again as I mentioned it uses brute-forcing so I'll explain where word lists come into play so you open it up and you select the URL of the web application or the web site and you specify the port the port is there is definitely going to be HTTP so either a port 80 or port 443 and then you select the word list no in this case Kali Linux already has a busta word list that that are designed it has three of them that are designed for different types of scenarios and I'll explain them as we move along all right and essentially how it works is once you start the brute force attack it will send HTTP GET requests and it will wait for the response from the server or the web the web application if it gets a 200 spawns that means that yes that directory exists all right if it get if it gets a bad response meaning like 400 or 403 meaning no access then it'll it will it will know that that directory or file doesn't exist so it's essentially testing directories on the server against this this word list so it will check for example is there a temp folder if it sends a temp request to the server it gets a response a positive response then it knows it's there and then it will enumerate them alright so let's start off really simply Assam on Cali the next I have the OS broken web application right here and I'm going to be demonstrating a two scenario so you can see I'm running that here and that has a lot of vulnerable web applications but the whole idea is to demonstrate how directories can be found all right and why this is extremely important especially for a web application penetration tester all right so I'm gonna put up Firefox and as you can see I have the open web application project right here the OSB web as they call it and it has plenty of of ways of me testing this but what if I was to just test the entire server alright so this is a web server what if I was to test the entire web server well I'm guessing that there going to be a lot of files and directories so what we can do is we can start off with a perfect example of how this would work is let's say you're targeting a wordpress site so I'm going to open up the broken WordPress and of course this is a very old one and we're not really exploiting anything but by using this example it will let us understand how we can enumerate the different directories and folders you know on this WordPress installation or if you were target targeting a wordpress site this is the way you do it so I'm going to copy the URL with the with the directory right here so it's we know it's in the WordPress folder because that is the root directory of the of the web server and we are selecting the WordPress installation but for the web site you will select the URL alright and that's for the port we know that this is the default HTTP port which means it's port 80 all right so I have der burst right here if you can't find it just you can use the Start menu and type in Busta it's going to be like so just this click on it and give it a few seconds to start up so again it was designed by the OS team so it works really really well and again this is something that I'm sure if you if you are a web application penetration tester or you do do the CTF challenges then you'll you'll know that you use this tool a lot alright so we in here we have the target URL and that's where we will paste it all right so we can paste it right here so control V and that is the URL now in the work method if you want to if you want the scan to be faster you can use the get requests but what we can do is auto switch them from the head and get and that will give us a more robust or a more accurate response rate alright so in terms of the number of thirds this is how fast you want you want the scan or the brute force to be so the faster the better depending on your hardware and of course you don't want to overload this server so I'm just gonna go hit click on go faster that probably works the best for me but if you want it to run faster then that means it's gonna it's gonna have multiple requests and threats being sent from your computer alright so I like keeping it at just 200 threads which is go faster and because I'm testing my own web server I can you know I can pretty much increase it to whatever I want so usually if you're talking about a bigger server or a bigger web application then you it doesn't really matter how many requests or how many threads you use it will not really affect the performance of the web server but evolves to run it at maybe a maximum speed you'd see that the web server would be lagging out you know out of the amount of requests that are being sent because you know you have to understand it from a fundamental point of view we are requesting the different web pages and the server has to process them so if the if the if the server is not running on on you know good resources like it's running on one gigabyte of ram it's very easy to make it like out and to actually cause some sort of a denial of service just because of the amount of requests but in this case we are performing it you know with with an ethical perspective so now you want to select a list based brute force or you can use a pure brute force but I don't recommend that that doesn't really work and you no need to select your word list your Buster wordlist now by default on kali linux and on parrot OS these are found in this user share folder on the under word list and you can find the the busta word list right there so i'm going to show you that right now so i'm gonna browse i'm gonna go to my root and i'm gonna go into user and i'm going to go into share and let's go into word lists here let's see if i can find it it's obviously with aw where it where is it let's see let's see let's see where is word lists sorry if i can't see this there there we are sorry about that word lists and you now want to go into der buster alright so there is going to be a folder called der buster and now you might be a little bit confused well really you don't need to need need to be confused that's why i'm here so as a beginner you might be wondering like which one is better now as an advanced penetration test i know which one is the best in most cases it's going to be the medium the directory list 2.3 medium dot txt now if you're scanning a very small web application that that's not that really complex like a simple HTML site you know HTML CSS whatever you want to call it then I would recommend this small one but if you're scanning a a big site like a WordPress installation or a Joomla installation then you should use the medium one this will work 99% of the time unless your your your requests are being blocked by either a web application firewall or by the the host so I'm just gonna it's select list alright and now in terms of these other options you can see it's it's going to essentially brute brute force slick directories the files it's going to be recursive which is great and the directory you must specify the directory if it is if you are trying to perform a scan that is directory sensitive all right and standard start point just leave it like that and you now want to hit start all right so once you start his gonna start brute forcing the webserver against its gonna start sending the requests and if it gets the responses the positive responses is going to is going to understand that yes that directory does exist now you can see we have a response that is being sent here and it's going to tell tell you that it is unable to determine a consistent failed response which means some directories and are being you're getting a negative or you're getting no access response meaning that that directory doesn't exist so what you can do is just hit cancel to these zones in ATS and it's going to continue scanning the other ones no of course down here you can see since it's performing a brute force you can look at the current speed which varies dependent on the amount of directories the average speed and it'll tell you the total amount of requests done out of the amount that could be done depending on on the word list that you have selected and finally you have the time to finish and of course this will vary dependent on a lot of factors but mostly it depends on the the the speed of the scan that you've selected and the and the word list so you have your scan information here it's gonna tell you what are folders and files it's testing and in here you can see the results in terms of directories and files that it was able to find and in the results it this is going to give you the directory structure as to how files and folders are being structured on the web application now by default right now you can see the amount the files and folders that it has found are for example the wordpress register dot PHP so if we open that if you right click on it you can open it in the URL or you can view the response that it gave and you can copy it you understand you get the basic functionality here and then you can open it in your browser so again you see that we are finding files that we otherwise wouldn't have known existed now of course for a default WordPress installation you would have guessed that this does exist but remember most people are revoking for most other installations on configure figurations this can be a great way of finding files and folders that you didn't know existed and again discovering them is very very important and this can give you different attack vectors for for example if I went to the admin dot PHP and it forced me to login that might be a good place to start root forcing if I had credentials if not you can choose select another attack vector so let me just move back here you can see we have the register page here which we just clicked on let's look at the wordpress login dot PHP so I'm going to open that up in the browser now you can see the server is not responding and that's another point that I wanted to point out if you want to be as right now we are being as promiscuous as possible because it's not really a web application that is delivering service to other people but because it's hosted on my local area network so in this case you can do a performing a type of denial of service and that's because the server I've allocated very very minimal resources to this virtual machine so that's why it's kind of lagging out all right so that's something to take into consideration now files to to pause the attack like so first to just posit remember you can pause it and you can stop it and let me just go back here and let's see if we can reload these pages they should be able to to be reloaded a quick enough let me let me just load that up and we can close this one let's see if the WordPress register page does open up if this virtual yeah there we are so you can see even though this is a very old WordPress installation that we were causing it to lag out so always keep that in mind that the amount of threads that you said can affect the performance of the website of or of the web application and you don't want to cause any any impact to customers if you're performing the test on a real world working web application or website alright just something you might want to take into consideration so we're gonna resume it and of course I'm not going to expect to find anything weird here although this WordPress installation is designed to be vulnerable so you can also change the number of threads running right here so if I wanted it to run you know maybe on 10 threads which is quite slow that means you'll get the enumeration process will take longer so it's all about balancing your resources and understanding what you're trying to look for you know of course this can be a very very useful tool when doing bug bounties or or CTF for that matter especially hack the box we are going to be looking at extremely important and something that should be understood completely and that is cross-site scripting all right now before we get started I'm just gonna explain what we're gonna be looking at explain what we're gonna be looking at in this video we're gonna start off with explaining what cross-site scripting is I'm gonna be showing you the environment that we'll be using for testing any of these any of these attacks just because they allow us to illustrate or they allow me to explain how everything works because that's the most important thing for me is that you understand what you're you're listening to and you have a good representation of what's going on alright so I'll be explaining stored I'll be explaining the reflected stored and Dom cross-site scripting alright so let's get started with me explaining what environment I'm currently running so you can see that I'm running Kali Linux right now but I am going to be using the OS a broken web applications project so I'll have this in the description section it is essentially a virtual machine that you can easily just run on VirtualBox or VMware I'm currently running it here as you can see I just got the local IP it's 192 point one sixty eight point one point one one one alright so I have it at running and I'm running this on Kali Linux and I already have opened up the URL in my browser so you can see from here I've opened up B web and I've opened up webgoat because that's what I'm going to be using to explain each of these cross-site scripting attacks so if I was to do that first to just open up one ninety two point one sixty eight point one point one on-one yours could be different it should be different depending on your IP configuration and subnet then it'll take you to the OS bwa or the OS broken web applications project the latest version as of recording this video is version 1.2 so we will be using webgoat and be web of the broken web application project for for this demonstration so the default credentials for webgoat are going to be guest for the username and guest for the password and for be web it should give you prompt right over there I think it's going to be a bug app or something like that but irregardless it will tell you what it is alright so make sure you open that up and you have that all set up so I've logged in to be web and I have a web goat started up right here alright so let me close that up and we are ready to go now before we even move on into performing these attacks it's very important to understand what's going on here with with cross-site scripting what it is how it works and what are you exactly taking advantage of all right now this is where a lot of people make mistakes and if you want to be a successful web application penetration tester you'll need to understand you know from a fundamental level what's going on here all right so let's get started what is cross side scripting well simply put it is the process of injecting a script into a into the parameter in url to attack a user of the site or to potentially attack the server side of the website or the web application right so it essentially is the inject the injection of a script into the parameter of a URL all right that's essentially what it is now of course this may be quite confusing but don't worry I'll explain what's going on here so let's start off with with first of all explaining the three types of cross-site scripting all right the first one is reflected and then we have stored and Dom so with reflected what's happening here is the the data is input it and then you know reflected directly back back on the screen so I'll explain this in a second all right so if we are to look at this from a fundamental perspective I'll show you how to access this you know how to navigate be web just give me a second let me explain what's going on so essentially what's happening with reflected cross-site scripting is that the input is going to be stored in the parameter of the URL all right and I'll explain how this differs with each type of attack because many of you will point out and say well it's not only to do with parameters and don't worry I'll explain all of this all right so we can essentially manipulate the parameter of the URL so that we can essentially run a script now what type of script we can run delicious script that is based in JavaScript and I'll explain that right now so you can see with our portal you don't want to touch anything here you can set the security level but for now I recommend setting it too low not that that's going to hurt anyone's ego because remember you have to be humble to begin and you need to understand what's going on first so we will open up the choose the bug section here and we want to go down into cross-site scripting and we want to go into reflected which essentially deals with the get the get requests so we're going to start off with that and this will really make you understand what's going on here so if I click on that and I just hit hack alright so now it's gonna give us a prompt here and you might be asking well what's what do you mean what exactly is going on if I was to not enter any details into the you know into these fields right here so for example you can see I just had a suggestion there that's because I was testing it out but it was to hit go you can see that in the URL we do have the input here so you can see the values can be edited directly into the form so you can see first name has the no value and then we have the last name which again has no value and you can see that it is submitting a form so what we can do is run some JavaScript code in here and the most common way of one of explaining what's going on here of course not running a very malicious code right now it's essentially explaining and demonstrating that it does work is I can run a piece of code here now of course when you put this into a practical perspective many sites are going to filter the content that you can enter in these fields or these forms and will essentially will not allow you to run JavaScript code you know obviously to protect to protect the site from these type of attacks but what you can do is encapsulate it to encode it in a different type of language or as I said I'll show you everything or how all of this works so this write right now being the current security level as low we it'll not ill not essentially encode it will not verify or validate what we're entering in here what input is being give so if we were to type in a script here so you can say script and you can see the recommendation there script that's mine so if also type in alert and this is JavaScript so I'm pretty I am pretty sure you can you know what's going on so you can see hello world this is an example of reflective XSS or cross-site scripting and we can close that up right now and then we need to close the script so you can do that in the next field or the next parameter most people like doing it from the start but this is just to show you how robust this can be so I type in I close the script there and I hit go and as you can see it gives us the alert which is what we and we which is what we used as our form of of me showing you that it does work and it will be processed the input will be processed and will be sent back to you you've been the client and we can just hit OK and that was an example of reflected excess cross-site scripting using the get method now of course we can I can replicate this many many times using the other types of cross-site scripting for example with the post etc etc we'll be looking at all of that but for now we need to understand what's going on here now next we need to look at a stored cross-site scripting this is probably my favorite because of the potential that it does have all right so let's go into the choose your bug menu here and we want to go into cross-site scripting and we want to go we want to go for the blog cross-site scripting stored cross-site scripting and we're gonna select block and I'll explain why in a second alright so first let me explain what stored cross-site scripting is so essentially with this with the cross-site scripting attacks more specifically the stored attacks essentially what's happening is you're attacking the input and you're essentially attacking the input that is to be stored or you're attacking the data or essentially I'll explain this really simply so you're attacking the input that is to be stored on a database so what you're doing is you're essentially injecting malicious code that will be saved into a database or that is going to be saved by the server or the web application server and then you can definitely you since it's being stored you can access it later on or other users can access it and for example if it's running malicious code it can trigger different things like opening the webcam of a user stealing different type of information I'm not going to go into what you can do with it but you can really do a lot of stuff a lot of malicious stuff with code all right so let me explain what's going on here so with the stored cross-site scripting you can essentially inject malicious code into the database again that then that when accessed runs this malicious code alright so if you can see this is an example of a block let me explain what I mean the best places to implement stored cross-site scripting is in places like comments you know forums and again as you can see right here blog in the form of comments that you know or pages that can be accessed later or data that is being stored in directly into the database any database for that matter as long as it's being stored okay so we can type in here something like hello and we can submit that to the database and you can see it's getting stored and you have different tables you have the the number the owner the date and the entry so now we can also run a script in here alright so what if we were to enter a JavaScript and again this data given our security level is any of the data that we're entering is not being validated so you can essentially enter it raw now in reality if you go and try and enter script in the data will not be accepted because again they are protecting their site against that that's one way of mitigation very basic I'm sure you know what I'm talking about all right so enough of me rambling on so if we are doing enter the same script we entered so we were to say script and we then say alert for example we can you can use any type of JavaScript code you want here and you can experiment you know you these web applications are there for you to experiment and test your skills out so first to say hello world this is stored stored cross-site scripting and we just close that up there and of course we have to close the script because we know that that will not execute if we do not code it correctly okay so now we can we can add that and if I was to just hit submit right now you can see that it's going to store and be that being the latest blog post you can see it's gonna tell you it's gonna execute the script and it's gonna say hello world this is stored across site scripting so and an example of a block if you are to post this on a page or a you know to make a blog post and inject this script in anyone opens that page will essentially run that malicious code and whatever that code does can then furthermore you know cause damage to the user or to the server depending on what you want it to do so it's all dependent on what the attacker is to do remember what I told you in the first video of this series it's all about your mindset and your your your willingness to break things and to find out what does and doesn't work okay so that was an example of stored cross-site scripting and as I've mentioned the most important thing to understand is this in this scenario the data is not being validated if it is being validated and I'll show you that in a second or probably in the next set of videos will increase the security level and I'll show you how to get you know past this you can see how things change as you move along in terms of security levels so I was going to use the bwak are this my first time using it so I had to get a bit of an introduction through the documentation and I realized they don't have Dom cross-site scripting so I that's why I had to use webgoat they're the only ones I know who actually allow us to run it so sumed in right now by the way the credentials our guest for the username and guest for the password so essentially I went through cross-site scripting and again they didn't have the the Dom in here all they were focusing on is stored and again reflected so I found it to be in the iyx or Ajax or tau whatever you want to call it and we have deal the Dom based cross-site scripting let me explain why it's saying this is based in a at security this is because Dom cross-site scripting focuses on the client-side so any data or input that is that whether it be a malicious code etc etc is going to be processed by the client not the server so any of the attacks will be based of course on the client now let me explain what I mean if I am to run remember JavaScript server-side client-side I ax for example so if I am to run for example a JavaScript code in this entry here so script and again I type in alert just being the example and I say hello let's keep that simple and I close the script here you can see that we will probably not be left with anything will not get any result that's because it's being processed by the client not by the server so no no result or no data will be reflected back to us if it was you know if it was reflected cross-site scripting it the server processes it and then is reflected back to the client so first to submit here you can see that nothing happens here and that it is going to be taken as good now what if we were to enter or use a language that that a client can understand so let's say we were to to say let's see HTML what if or to use HTML so I can say in here I am G for example that's a very this is the way we learnt it so I am G SRC and we don't have an image source so we can leave that like that and then we can use the on error in case we get an error of image which we will get because the image has no source on error we can say that is going to be that is going to be equal to alert and then the alert we can then put in here we can say hello whoops hello world and we can close that up and once you have closed it you can see that we can we can close that there and there you are so it is going to be processed by the client and you get the the dialog box or the alert with the message helloworld so you can see that with Dom based cross-site scripting it is all being processed all the input whether it be malicious or not is being processed by the client and ax is one of the laddies languages that can be used so you can also incorporate a ax if you wanted to or test it out remember all about experimentation and understanding I hope that you've got an understanding of what cross-site scripting is how it can be used to manipulate data whether it be on the client-side on the database and now you can easily just transfer data with you know bad security in place of course this is these attacks will be very uncommon now but again this was focused on more on on an explanation point of view you are going to be looking at request forgery or CSRF now this is an extremely important topic and a big one that I cover it correctly so for the purpose of this video I've set up a very unique environment that in at least in my opinion will demonstrate how to utilize or how to perform this attack all right now I'm just gonna give you a brief overview of the environment that I have no of course you can see I have a few files open here don't worry about them right now just just remember that we'll be using them later on and I'll be using them really really well to explain what's going on here so you can see as my target or as my vulnerable system I'm going to be using my vulnerable web application I should say I'm going to be using the OS juice shop now not actually no one actually recommended this to me but I remember that I performed this during a CTF challenge that I went to earlier I think late last year I'm not too sure exactly when but the old process was involved with exploiting this web application all right and in my opinion this really outlined or really showed of how to perform all of these various web application attacks in this case we're going to be focusing on cross-site request forgery all right so I have the juice shop running it's it's based on nodejs and running on my local host let me just show you that right now there we are so I haven't logged in or done anything yet and that's because I'm going to do that with you so I've set it up it's running on my local host let's get started with this really really simple but sometimes complicated topic all right so cross-site request forgery CSRF now from the name you can already tell that it's split into two into two sections you have your cross-site and your request forgery so from that we can get a basic example of what's going on here we have cross-site scripting and we are going to be forging requests or we are going to be manipulating requests mmm interesting so we are we are kind of understanding what's going on here now the technical explanation for what CSRF is is it is an attack that forces an end user - executed unwanted actions on a web application in which they are currently authenticated all right so let me put that really really simply right it it's an attack that will force an end user to execute unwanted actions on our on our web application these actions can be anything but in this case we're going to be looking at changing the password and they have to be currently authenticated to that web application to it which means they have to be logged in to that web application for this to work because if they are logged out then you get the idea it really doesn't help for it doesn't work all right so we use cross-site scripting in this case to perform the request forgery and to get either desired or undesired results in our case we're going to be looking at how to to change the password of any user that's logged in to the to this web application and how will we how will we be doing that well we are going to be using CSS arrived but the first thing you need to understand is how an HTML form works all right and this is very important because first of all a client will request a page from a server all right the server will then respond and give the des client the HTML form the client will then send back the form with the data back to the server the server will then authenticate and authorize the user and then will will perform the requested action and based on the request and the response we are able to forge or to change the request and get a desired response if you're looking at it from an attackers perspective alright so the the way CRS CS CSRF works sorry about that is the attacker will manipulate the victim into submitting the attackers form data to the victims web server essentially essentially performing these these requests and in our case as I've mentioned it will allow us to change the password of any user on this web application in this case the OS juice shop web application alright so now you might be asking well if I'm a bug bounty hunter Aurra I'm practicing to become a bug bounty hunter how do I go about finding this vulnerability well that's a very good question and that is the question you should be asking yourself when performing any penetration test now coming back to my environment I'm running burp suite the community edition you you'll just need the Community Edition for this one we're not performing any advanced techniques here because we're essentially just changing we're just going to be changing the requests to get our desired responses but once we move on to the advanced stuff I'll then be using OS zap for our attacks all right so keeping things really really simple we the way to look for these vulnerabilities is to target the login pages which we have right here we then need to we can then create the account and login and then finally we will be creating our own our own script to perform the cross-site scripting and that will allow us to submit the data or if we send the URL to another user of this web application who is currently authenticated it will allow their it will allow us to make them change their password and then we can log in to their account alright so this vulnerability is very common on sites with accounts you know sites that have emails a passwords and as you probably would have guessed there are a lot of sites that utilize this functionality but remember most of the sites out there will be protected from this vulnerability so it's up to you to find these vulnerabilities alright so as I've mentioned we will be using OS brew shop as our target and the reason is is because it will explain what I want to explain really really well all right and we'll be using the burp suite Community Edition now as you can see I'm currently running the burp proxy I'm not intercepting any traffic if I open up burp suite I'm not intercepting any traffic if I go to the proxy and intercept I'm not intercepting anything so it's currently just I'm just going through the proxy and all traffic and data is being logged through the proxy so when it comes down to this little data that I've saved here I've already created an account the reason I've done that is to save time because I don't want to explain everything about it so I've create I've created a user with the email of tests at test com and a password of password so really simple again there's nothing really complicated here and if you want if you're wondering what exactly does this mean well this is a security question with the answer so the question was what's my favorite pet and I wrote in dog so hopefully that doesn't scare you into thinking that I've gone completely crazy and then in here we have this script that we'll be using or will be utilizing to perform the CSRF on the site I'll get to this in a second we don't need that right now so if I want to log in I know that the the email is test a test comm and the password is password all right so let me do that right now we need to authenticate so let me log in like so and I'm gonna hit test at test comm all right and I'm going to write the password which is password and I'm gonna eat login all right and I'm don't want to save the password and there you are so I've logged in now now as I said this is very this vulnerability works really really well when you're talking about changing passwords because as you can probably guess an attacker would would be looking to exploit this functionality because imagine if we were able to send a request a get request to our target with the URL encoded URL of course we can also use link shorteners if we wanted to do that and essentially if they authenticated it it will allow us to make them change their password simply by clicking on the link changing the password to whatever we specify all right so how do we do this well the first thing we need to do is we need to look at how they get requests are being sent and we can do that using burp so we're just going to change our password so our current password is password and what I'm going to do is I'm going to change my password into password oops sorry password 1 2 3 and I'm going to repeat it so fast word 1 2 3 and I'm gonna change alright so the password was successfully changed ok now let's look at how this was processed in burp or how the request was sent in but so I'm going to go into burp our proxy and HTTP history and I'm gonna go all the way to the bottom and as you can see we have the get request right over here ok so the get request is interesting you can see we have the get request and it's dog eating the the following URL and these are the parameters so change password the current password is password new password one two three and we've repeated it all right so now let us perform the forgery here so I'm gonna send this in to the repeater alright so I'm gonna click on repeater and in here we can manipulate the request and see what responses we get all right in case you did not know about that but again let's start off really really simply so we are going to be working with the raw request we don't want to work with individual parameters although you could change it but we are going to be manipulating the request entirely so that it performs what we want to do alright so what we can do first is we can test so let's change what if we were to change the current password to something like let's see test let's change it to test and then we hit go you can see that the response we get is a is a 401 error which means we are authorized to make that and it will give you the message right here the current password is not correct all right that's good that is good from a web application perspective which means that this web application is performing validation and it's not going to allow us to you know to just go in and start manipulating any requests and making changes so from a security perspective the web application is doing really well all right what if I was to change the new password let me change this back to password to the current password which is what we said and I changed the new password - password pass one two three all right and I hit go again we get another run again the 401 unauthorized error telling us that the new and repeated password do not match so yes the current password is correct and the only thing that we are getting an error is the new password and the repeated password are not correct so interesting what if we want to change the password into password one two three and we can repeat that again so we want to confirm this so password one two three actually hold on so I'm gonna say password 1 2 3 and now let's see what this tells us this should verify it but let's see if this works so you can see yes that does work and we know that this works because that's what we did that was the original request but what if we do not know the current password of the user remember we're going to be targeting other users of this web application so what if we get rid off and this is very very this is the way peer penetration testers go about it what if we get rid of stuff so what if we get rid of the current password all right and now essentially the get is targeting change password with the question mark here essentially requesting and we are only entering the fields or parameters new and repeat what if we do that and we change them to password 1 2 3 I mean passed 1 2 3 and pass 1 2 3 let me it go you can see yes it does work we get the 200 the 200 response which means everything was processed correctly and we were able to get a password that looks to be hash that looks to be hashed and we got the email that we used so yes we do know that it is working all right so we know that we know that this worked but we need to confirm that this has worked so we can do this by going back into our web application and we can log out and we can try and log in again so log in with our new password so we're gonna say test at test comm and our new password was passed 1 2 3 remember we we changed it earlier but again I was demonstrating that if we are to send this to our target we need to specify that it will work without any free required information like their current password so if manipulated the Rae request there so let's hit login and voila you can see it does work excellent all right so this is a fantastic example of CSRF can be utilized or how it can be X how you can find vulnerabilities for it all right so this can allow us to change or update anyone's password anyone's accounts password that are currently logged into this web application all right so now what do we know what we need to do well we can login as we've already seen we can login and once you've logged in we can we can test to see if cross-site scripting does work and then of course utilizing it throughout the web application is very important so we can run a simple cross-site script attack to see if it will work on this search bar right here so I'm going to type in script and a simple one so alert just to test whether it works and in the alert we can say hello just something stupid hello world you know that's and I can't even type man come on world and we have typed in the alert and we can finally close this script here script like so and let's hit search and voila we can see that indeed cross-site scripting what works which means we can insert we can insert our our get request inside the script and and use a cross-site scripting to perform the CSRF and now you can see them conjoining together cross-site scripting with request forgery okay so we now need to create our custom script that will allow us to utilize the attack and we will be using XML and HTTP now you might have seen this script right over here let me just minimize this and open up leafpad you might have seen this script that I created now you can find many of these csrs scripts are online that utilize different languages in my case I find the one that works the best is the is one that works with XML and HTTP and contains the get request in here ok now you can see that the get request requires the URL in which we submit the parameters without the current password so we need to go back into book and once to go back in to proxy HTTP sorry about the HTTP we look to change the password here so if we go back into sorry the repeater and if we look at this now we can see that the URL is right over here so that's the get request so if we copy this the localhost obviously and we are not using any current password field so if we can do that really simply you can see how this can butyl really really well so what we need to do now is understand how the URL will be format and of course the web application is going to encode it and I'll get to that in a second so we need to copy this URL right here so I'm just going to copy the URL and we can edit our whole script so HTTP and we paste it in inside the URL you can copy this script if you want to let's take a look at whether this script is formatted correctly so get HTTP new that's not the way we want it let me get rid of the pre pre determined HTTP there so HTTP localhost it's hosted on my localhost with the port 3,000 note no dia standard and the we want to change the password the new password is passed one two three and repeat is passed one two three you can change that to whatever you want if you want to you know play around with a script but in my case I don't want to do any of that so this is the script so what we can do is we can copy this now and we can run this in the search bar and that should in theory and in practice give us our first CSRF attack on the site so I'm gonna paste this in here and let's see whether it does this so I'm gonna it's search and you can see you successfully soft solve the challenge error handling provoke an error that is not very gracefully handle again this is a fantastic web application vulnerable web application that is awesome for practicing your your web application penetration testing skills now I talked about the URL that you should send to your target and that is the URL that will essentially make them change their password or without them knowing given that they are logged in to the web application or the oven account it will not work if they have not logged in all right so that's very important to understand and many people just you know forget about this now again if you you could have done this you I can log out again and I can log in try and log in now and I can type in for example test I just want to show you something very interesting your test and I can change the password we already changed it to password one two three now before I do that I can just in back to the element here and I'm gonna eat login and I just want you to check something out right now let me just expand this a little bit here if we were to look at the network this will essentially show us all the get requests so I first to hit login you can see that if we are to look at the get request here the login get requests you can go ahead and look at at the exact format in which it was sent you can look at the cookie the it should give you the the authentication token not too sure it should give you the authentic the authentication token but that's something for another day I don't want to complicate you guys you can look at the cookie if you want to and you have all the responses right here so there we are there's the authentication token and you can see something very interesting in regards to the token all right so let me show you this right now all right so as I was saying you can see all right so as I was saying you can see that if we look at the parameters the password will be displayed then it will be updated to the one that we selected or specified in the script all right so remember if you want to customize the cross-site scripting attack you can do it through your script and where is leafpad here so there we are so you can change the password the as you see we just got rid of the current password parameter which is a vulnerability on the site but you can change the positive to whatever you want and now you might be asking as I've mentioned what link do you send to the target and that is very very simple if I was to run the script again and I changed the posture to maybe something else like password 1 2 4 or 3 4 5 sorry 3 4 5 let me just add that to the password and I run the script on an authenticated user which is me so let me copy that and it should change my account password and you can see once I log at logout and try logging in it will have changed it successfully so let me just run it in here so I'm going to paste the new one in here and I'm going to search and there we are so now it's changed my password and if I log out and I try and log in with with the old password which is password 1 2 3 you can see whoops sorry I think I typed that in wrongly one two three like so fight login there we are you can see that we added the new password and it did work fantastic so we were successfully able to execute the script and again one if I just run the script again this is the URL that you will send to your target all right so if I just copy it and I inspect it in my leafpad here I really love leaf but I don't know that you guys love it too if I just inspect it you can see that this indeed is a URL and if the web application was being hosted on a server outside my local air network it would give you the website name the port if it is put specific and the URL here which as you can see is encoded so what I would recommend is that you copy this link here and you use a link shortener like bit fly or any of the other Google shorteners and you send that to your target and once they click on the link and if they already logged in to this specific web application it will update their password and you can essentially you have their password now because you've updated it and you all all you need is the email which I'm pretty sure you must be knowing if you're performing this attack or you could just be gathering passwords of users or of which you can you can send this link to and are authenticated with the web application we're going to be taking a look at session and in this video particularly we'll be looking at cookie collection alright so as you know you probably would have known what a cookie is now there are three types of cookies that we really need to be focusing on in this section and we'll be focusing on in general the first one is the session cookies which I'll discuss in a while we then have the permanent cookies and the third party cookies so third party cookies are really all to do with third party API so that may be used so for example if you're on our website that utilizes Flash Player you may find some cookies that that are in in relate that are related to the Flash Player so it's very important that you understand how to collect these cookies and as well we'll be looking at reverse engineering them but not really tampering with them because of I first want to explain to you guys how everything is done and then we can move on into into finally tampering with them and seeing if we can change them to give us access to give a different type of of access and where this comes into place when they're talking about session cookies and in this session cookies we have the the auth the authentication token and the D and the unauthenticated token so all to do with your access on a web application or on a website okay so essentially all the cookies that you can probably ever get when you visit are you you get when you visit a website are they are generated when you visit the website and furthermore the cookies change when you're authenticated with the website and you or you log out alright so when you log in you get a different set of cookies and when you log out you get a different set of cookies this is where the whole idea of session management comes into play and how cookies are utilized for this system so I'm currently running OS new shop so I showed you guys how to set that up let me know if you found it helpful so I have it set it up and open I have it opened up in my browser now what I'm gonna be covering is how to collect these cookies and understanding the difference between an unauthenticated cookie and the authenticated cookie so you what I have water used to my advantage is if you're using Google Chrome or Firefox you you can get a cookie collection or a cookie editor add-on that allows you to edit the cookies but they said we're not going to be looking at editing them right now because we don't know what to change in them this video is going to be focused on collecting them and then analyzing them to see what information they have within them all right so I've currently I reset this the OS juice shop and the reason I did that is just to start off fresh and I said we're going to be using this for performing all of the examples that I'll be showing you so that we can learn all the concepts so I'm just gonna but before we log in I just want to show you the first set of cookies that we'll get once we when we visit at the site don't worry about the other links we'll get to them in a second all right so I'm using the cookie editor right here you can find this same one for Firefox that's what I'm using they are also other ones for google chrome if you want to do that and in addition we're not going to be using any proxy like burp suite or the OS app right now because we're just focused on using the browser tools and of course these add-ons here so what I can do now is fighter school right-click and I hit inspect element we have the the developer tools right here and if we are to go into once you've installed the cookie editor you can directly go into storage and in storage you'll be give you get the cookies here and other values right here but if you it'll be better for you to understand what's going on if you go into the cookie editor now in the cookie editor you can see that we have two cookies that we've gathered DM you have the cookie consent status and the the IO which I'm not sure really what it does input out in our output on probably guessing so when it comes down to the cookie consent status we probably get an idea of what of what this is of what this is asking us so when I when I opened up the website it gave me a prompt asking me like all websites will ask you in 2018 to do is to accept their privacy policy in their privacy policies in regards to the use of personal date and cookies and the reason is is because cookies can can look or have a lot of information about you they contain a lot of information about what your what you've been doing so this is why I've created this right now before we move along it's very important to understand their role in session management okay so we need to look at the authentic the authentication tokens because that's where most of the magic happens as you would expect so let me just close this up and let me just login so let me just use the password there the email that I used and the password like so and let me just login I don't want to save the password so I've logged in now and if I inspect the element again you can see in the cookie editor let that load it usually takes a while to load there we are we have the token now the token this token is an authentication token all right so when it comes down when it comes down to reverse engineering a token for example let's use this as our example we're essentially testing it for vulnerability similar to a penetration test now you might be a little bit confused you might be asking well what what what do you mean by this how can we perform a penetration test on this token well this token is encoded all right so this is if we just copy this I don't know whether you know about this but this is a JSON web token alright so it is it is a JSON web token and you can use the JSON web token a decoder I'll be posting this link in the description this is the one that I prefer to use if I am to paste this in here and you can see but once I've pasted it in here it's going to give me all information and I'm gonna help you understand what we've just done so essentially what we have done is we have reverse-engineered what this web token is all about so now we need to look at what what it contains and what type of authorities or privileges is giving to us because remember this is an authentication token and it is unique to us because this will air this will determine whether or not we are logged into a site or we're logged out and what access we have on the website I'm pretty sure you already know that all right so when it comes to the header now this is very important I've seen many web people claiming to be bug bounty hunters and they don't understand how the the dokin is even structured what is the header the head a separated from the payload this is the header right here up until the first full stop that is the heads very important to understand that because they are separated from each other in fact the JSON web token is sorted into three parts right here you have the e of the header you then have the payload until here and then finally you have the signature which is right right at the bottom here which is also separated from the rest okay so when it comes down to the header all right the header is going to give you the type of the of the token and in this case we know it's a JSON web token we then have the algorithm which is the hashing algorithm used which is the RS 256 and then the payload now in the payload this is where things get really interesting as you would have expected you have the status the status code here the data if any data was passed the ID we can always use the ID - we can always edit the ID to see what else it can give us in terms of authentication because different types of identifications or identification tokens give us different types of access so as essentially this is what I was talking about this is where you will scrutinize the the authentication token and try and and tamper with it - to see what different results you can you can get so remember we can edit this token all right and we can edit anything about it and then we can finally copy it and we can use that in the US view shop and paste it right here andrey authenticate with that new token and see what results we can get and of course we are not going to do that right now because I wanted to introduce you as to what information you're gonna find and what exactly is going on here okay so one step at a time so you can see that something interesting props up here something extremely interesting we have the email which for some reason in this token we can see that it's not very well designed because the email is in plain text which means which means if in any case or in any scenario someone is is able to get this token in which I authenticated within a site they will have access to my email my password but you must be saying well I didn't see you type out all of these random passwords here well I can easily guess that this is an md5 hash password which means I can depending on the on the strength of the password I can decrypt online in a second using any of the decryption tools so if I was to just copy this right now and I wanted to know the password let's say this wasn't even mine this authentication token wasn't even mine and I found the the email and password all I needed to do was unlatch the password I can go to md5 online talk which is what I use a lot and I paste that hash right in here Nate decrypt and you can see well first of all is gonna prompt me to enter CAPTCHA a storefront this is this is getting really annoying now for some reason it always does that as you can see it's gonna it's gonna find the action of course this is this is dependent on the difficulty of the hash and whether or not it can find it online okay so you can see that they display the hash and the password in plain text which in this case was passed one two three no of course you can experiment with this and you can also also experiment if for example the authentication token that you found was using a different encryption or a hashing algorithm for the password is the first thing you need to do is identify what it's using and then you go about decrypting it now I'm not gonna be talking about the other parts here because that's a bit that's a bit advanced and you can see by default the signature the token signature field which means we can tamper with this token and we can make changes to it and we can authenticate with it because as I said the earth view shop is is designed to be vulnerable and this is where you perform all of these tests okay so when it comes down to the payload the most important things are to look for the status the ID and obviously if you can get any other information in the data section or in terms of the email and the password that's also very important now of course it's not very easy to get a hold of someone's of someone's token but you can do it but and then you are performing the penetration test on the token because if someone was to write in the comment section of this video what if all to grab the the authentication token that belongs to Facebook let's say had access to someone's computer a few seconds and I was to get the authentication token what would I be able to do well first of all you have to test the security of that token and I can guarantee you that their tokens are going to be very well secured and performing the penetration of the penetration test on them will be a different ballgame so we'll be looking at changing them or or tampering them to give us different types of access be talking about HTTP attribute attributes and cookie security I am currently running autoshop and what I did is I started a fresh new instance or I unzipped a new OS blue shop that's because I wanted to start afresh and of course in the previous video we looked at cookie analysis and tokens but now we're going to look at how at the security aspect of all these cookies are secured and how you know how cookies are stolen and how these can be exploited with with with other exploits or functionality like cross-site scripting now you'll get to what I'm saying in a few seconds so I have watched you shop running and I've created the same user and password as I did last time so it's test at test comm that being the email and the password is password one two three just so you know and I'll do that right now I'm just gonna log in as you can see test that test comm and the password is password one two three so let me just log in and there you are so I've logged in and haven't solved any challenges so when we talk about cookie security what do I mean well this can be done or can be inspected really easily now of course for this you're not going to need any of the browser extensions or add-ons because we'll just simply just be inspecting the element here so if we open inspect element and going to storage and we go into cookies and select the site which is on localhost you can see that if I was to click on for example the token and we just look at the data you know that we can see within the token if we go to the HTTP only section here you can see that that is set to false now what does that mean well that means that we can potentially exploit this cookie and its storage location in the sense that it is it is it is not secured now I'll get to why and how this is happening in the in a few seconds all right so if the value is set to false it means that the cookie can be accessed and written to now how can one use this you know for potential attacks or cookie cookie stealing as we know it now if you are an advanced web application penetration tester and you know or cross-site scripting you know that usually attackers will use cross-site scripting to steal cookies by sending you links that then you know by sending you links to pages on the site that that you're already authenticated to that have the the malicious JavaScript code that will then send your cookie your authentication cookie with your token etc etc through their attack server and from that they can then use that to authenticate into your account it's not common because mostly the the cookies are usually secured now you will run into sites that have this and this is a very very big vulnerability in terms of severity so if you're a bug bounty hunter this is in the medium to low category so not really a big exploit but still a very very big problem that many many you know usually I would like to say rookie developers miss especially when dealing with huge frameworks like node etc I'm not gonna get too deep into that so you can see that the HTTP only is set to false now what does this mean this means that we can use utilize a lot of functionality to exploit or to display the the token or even more to send this the my cookie or you know my token whatever you want to call it to on a server or to save it alright to grab it to steal it you know simply put so how can we exploit this well we can use cross-site scripting and this is probably the most used method for this and to do this we can simply we can use any of the we can use the search or we can use the contact but I like using such because usually it is unfiltered now when I say this I'm you know many of you will say well most of the big sites well I'm not talking about the big sites the big sites obviously have to take this into consideration I'm talking about sites that are developed by small teams they usually don't take this into consideration so if I was to just type in a simple cross let's creep ting a script that will essentially display my cookie right now as I'm authenticated so to do that I'll just type in script and for this we are using an alert here to display to us so alert and we're going to say document whoops stop sorry doc you mint dot cookie and and then we're gonna just close the script like so so this will display our cookie to us not really helpful but you can imagine if we were to have this permanently posted for example as a post here and then whenever we send that link to someone and they click on it we can customize this JavaScript code to send their cookie to our web server and once we get their cookie you basically know what's going to happen there so if I hit enter to search you can see that it's going to display our cookie and our token and this is extremely dangerous you might not get the context but I'll explain it in a second so essentially this information can be passed and sent anywhere across the world provided that the that your target clinks clicks on a link in which this this script is executed now the question that you might be asking yourself is well where else can we post this in in sort of a malicious way and I know that I sound malicious right now but I'll also get into how to mitigate this and again mitigating it is really simple just set your HTTP status or your HTTP attribute to true or set it to on essentially securing your cookie now you can see that once we have this you saw in the previous video what we could do with such information and what info it contains in regards to the user and how we can we can you know cracker the password but for now let's focus on how this can be utilized to steal the cookie or how attackers do it so you can also get insight if you're a white hat so usually I can post this in here I can put you know I can type the script in here but this is not it's probably not the best way of doing it because you essentially have to convince the user to go into the search bar and type this in not really the best of ways about going you know but going about this so usually we look for a page that that allows us to you know to post our own stuff or to save this to a database or to save it to the website itself so we let's try contact us alright so contact us yeah that looks like a good place to start so in the comment it's already added our author for us so in the comment we can enter we can end our script in yen this will probably probably be saved but we have to test it now of course the cookie stealing JavaScript code is not something that I'm going to be telling you how to do you can probably perform a lot of Google searches it's part of the easy terms that I have to follow in regards to YouTube's YouTube's policies about malicious content and when what not so I'm not going to show you the exact code but I'll probably have it on my website if you want to take a look at it and experiment as to how to send cookies to another server server that belongs to you for example so to do this so now essentially what I want to do is I want to save this script into their contact section because I believe this is saved if I looked I looked at this structure and indeed this is saved so this script is quite simple so we can say we can give it a title because I know the feedback is is left like that so we can say script test and we can close the script here so script but then we have to include the the actual JavaScript code so yeah so let's include this script within the main ones so script and then once we close this one we can then use the other script so a script oops script and you can copy this code if you want by the way let me just zoom in cause a lot of you had actually talked to me about that that you couldn't actually see the code so script and now we want to bring out the alert and of course as I said this is not really useful because all you're doing is displaying the cookie to the user themselves once they visit this page so you you you probably get the idea so script alert and we add this simply is gonna write the document of course if I was sending it to a malicious server what I would have done is out of use the document dot cookie and I would have offended it to be sent in in the form of probably a PHP file or a PHP get request to my server and then my server would log all of the the information being sent back so that's the concept there behind so we can then close the script here and we have to actually close the script oops sorry my bad and we closed the script there and finally we can close the final script ending here so script and there we are and we can leave a rating if we want to and there is a CAPTCHA here or authentication 10 plus 5 you you you basically have this is also an exploit here that you can enter because if you look at this very basically from a simple perspective the capture here is again is another false positive and again I know I'm dragging this I'm dragging it a lot but but what I'm trying to explain here is if you are going to you are going to be performing a penetration test on a website you you need to understand that from the perspective of false positives you should not go after the big exploitations or the big exploits first alright so if I submit this as I know this structure of the OS view shop this will be submitted to one of the pages in which after I click or any other user who is authenticated clicks will will run that script or this script and will the the via cookie will be displayed on their screen and if you want to manipulate or use your own script to send their cookie to your server by all means go and do that I am not condoning it so that is 75 and I hit submit and what master on capture 10 plus 5 actually 25 yes brackets of division multiplication addition you guys must be thinking ahead mats so that is 25 plus 5 plus 10 sorry that's 35 35 and I submit that oops we have to actually type out good back in sorry about that guys so we can just type in script and we simply testing test and then after this we can close the first one and script here oops sorry about that my keyboard is quite a distance from me a litte and my spelling mistakes are really annoying script and finally we can use the document my god man by typing document dot alert dot cookie sorry we have already sent the alert we would use the doc document dot alert would essentially display the entire webpage document dot cookie and in here we close the first script and sorry the the initial script and then we close the last one here so script and we close that right there and finally we can give this a rating and we submit and that should submit it I don't know what the issue is here and there we are was for some alright so there we are thank you for your feedback so it did submit it there let me zoom back out now you can see that where would you go to launch this script that's that that will be the question that you might be asking so on this in this structure you can pretty much experiment with all the other pages and again I do recommend that you use you know directory discovery tools like there buster go bust or whatever is comfortable for you so with this in mind if first you just click on about us you can see that that is where the the the feedback in regards to contact is stored so there you are there's the cookie and default if I was to have implemented a script that would send the cookie to my server once I access to this page as an authenticated user it would send my my session ID all of that good stuff to my web server and I'll be able to crack the password and authenticate with your account as simple as that without ever knowing your password without ever trying to have guessed it with or without ever trying to have exploited your system I exploited the web application and because of the the inability of the developer of the web application to secure the cookies I was able to get into your account and God knows what else you can do in that person's account and this is you know this is tribute to all my facebook hacker friends out there who think hacking Facebook is is about cracking and brute 4/3 there you go you know applications can be can be cracked in or can be exploited in different ways now of course I said it's gonna get really exciting as we move along with do shop and that's the reason I'm using it because it explains how this can be done on a real website and yeah we're going to be looking at OSP juice shop and it seems to replicate what a real web application would be fairly poorly designed one but the thing I like about it is it has varying live levels of difficulty and that's really really awesome I have it set up on Heroku as you can probably see right over here and that works perfectly fine for me because I you know I wanted to set it up really quickly I don't want to run it on my local server you know using node or docker that's really is I really didn't have the time to do that but if you want to you can you can use Heroku and it should be free for you so yeah definitely go ahead and give it a try and you should have an instance set up for yourself so you can go ahead and do it and it's giving us a prompt ear telling us that this website uses fruit cookies to ensure you get the juiciest tracking experience you know from my experience I would hit accept the cookies because essentially that's what keeps track of your progress and yeah that's pretty that should be quite good now as for my browser I'm using the latest version of Firefox and I have you know plugins or add-ons like cookie editor and that's pretty much what we'll be needing in this video I hope and we don't have the the proxies here like sorry foxy proxy to allow us to use things like burp suite or zap whatever you want to use okay so let's get started now the first challenge as I believe is to get the scoreboard and we should start from there and to do this I think I have done this already that's really very simple all we need to do is well first of all before we actually do that the interface is quite simple it is a juice shop as you probably can see and could have understood and they sell juice now the great thing that I like about OSU shop is that this replicates a real-life web application with you know security misconfigurations etc etc so if I had log in you have your login page right over there and you can create a new account if you want to you can search where they contact us page it allows us to you know essentially contact whoever is behind the site and we have an about Us page and the thing I like about this is as I said it gates what I would call a real web application now only took about about three scoreboard I think that can be accessed really quickly by going into scoreboard like so so you know you can just hit scoreboard and if I enter that should give us the scoreboard all right so it gives us the notification once you've completed a challenge and the reason it does this is to notify you of your progress remember this can be considered a capture the flag type of challenge but I wouldn't call it this I think this is fantastic for essentially explaining the concepts here all right so let me explain all these scoreboard is definitely works alright so your scoreboard is as follows sorry about that if you had my phone it always seems to do that so we have we have the challenges sorted in terms of difficulty so we have a 1 star 2 star 3 star 4 star 5 star and 6 star and they all have various challenges within them so for example the the difficulty sort in terms of stall so you get the idea 1 star is quite easy two stars you know not so easy we have three stars things are getting a bit sweaty here four stars now we're talking five stars I'm banging my head on the wall and six does that's gonna take you probably a few a few days or you know hours depending on your determination alright so you can see it also gives you the gives you the challenge names here so if I click on the two star challenges you can go ahead and look at the challenges there and we provide think in the previous videos we covered a lot of the two star and three some of the four star challenges that's why I wanted to go through so the three star challenges are where things get really awesome because it does you start logging in with other users and there's a bit of cross-site scripting I'm not going to go through all of that let's start off with what we can do all right so the first challenge in the first is access the administration section of the store alright so I'm guessing we have to try and log in I think I've done this this is the first challenge we have to access a confidential document provoke an error that is not gracefully very gracefully handled not to show that is let us redirect you I'll try and cover as many as I can on video we have cross-site scripting attack this was simple I think we covered this so yeah we can pretty much run that in in one of these right over here so script and alert as it already gives you hints these are very very easy so you can just say test have I given the oops sorry my bad so yeah there we are test and we close that up and we also close this script right over here and we enter and there we are so that is one of the challenges solved hopefully it did pop up there so if we go back to the scoreboard it still tells us well for some reason the web application is too low it's not told us that we have performed a reflected cross-site scripting all those that don't all right so reflected anyway we'll get to that when we get to it so if we inspect the login page what we can do is we can create a user so I'm going to create a user here and I'll just use a simple user here called test at test comm and the password I'll call that password and I'm going to repeat the password here and I'll just call the password password and I'm just going to use name of your favorite pet and I'm just gonna say dog right over here I'm gonna it register and we're gonna save that alright so I can log in now did I log in with the correct test yeah there we are I'm gonna log in and we are logged in alright so let me just zoom out so the interface does not really crash on us let me just get rid of that all right so it's sorted out really well we have the language selector here your basket which essentially allows you to select your to view the items in your basket you then have your coupon if you want if you want to use a coupon and you have your checkout which essentially I believe takes you to the the osu shop donate page if i'm not wrong let's just see if that is correct yeah you so if you want to support the project I would reckon donate to them it's it's a really great project I really do recommend that if you can you do so so you can change your password which is awesome I think we also took a look at this and how to change it using using the get requests contact us where you can necessarily write in you can contact the the person behind the site or the administrator as I would believe you can comment recycle recycle what's this request a recycling box so you can type in liters here that has a selector all right okay that's not too bad we have a complaints board and the scoreboard itself here which for some reason keeps doesn't really load so let's try and work on the first section as I mentioned I'll try and cover as much as I can here and you have the about us here that has some sort of let's see some sort check out our boring Terms of Use let me just check the scoreboard what exactly are we supposed to do because access the administration section what's in the two star here login with the administrator all right so we're trying to access the administration section so let's try and access that right over here so I'm just gonna type in administration like so I'm gonna enter and yeah that was pretty easy and we get the email right over here admin and to shop that's the admin email and we have all the emails right over here so we have Jim and juice do shop bender and some other users and we have our soap yeah alright so we got the registered users customer feedback and the recycling requests that have been posted so far which means we're starting from the basics so I think we can try and login with admin but we don't know the password so yeah so I'm just gonna log out and let's see if we can login with the password here here admin I do shop and I probably I'm probably guessing we have to use SQL injection and in this case I think I know what to do cuz I have done this before but it has been changed quite a bit since the last time because I think in the previous versions it was with admin only there was no domain was they using him I'm not too sure anyway let's try and see if we can throw some errors here so if I log in all right so that means you have to provide a password so let me just try and use the single quotation and let's see if that yeah it does throw an error and yeah we completed the other challenge which you successfully solve the challenge error handling provoked an error CF so essentially performing error enumeration if that's something you've never heard of it's essentially where you just try and see how to see oh it's fuzzing really just throwing a you know information at a system see how it responds and we get here the query yeah so we are performing SQL injection because as you can see tells us here we have the DES query right over here which is telling us select and what this is saying select all entries from the user table where emails are equal to and we specify this single quotation and the password is what is this this looks like a hash what hash is this let me just check I think it might be md5 I'm not too sure let me just check this hash identifier and we just paste that in there sorry about that let me just paste that in there yeah this is md5 hash so that probably let's just see if we can decrypt that or decode that so I'm just gonna say md5 Decrypter or something like that let's just see if we can do this online really quickly come on come on I want to see what error caused that ceiling is that's a password let's decrypt that and well for some reason it's taking too much time here so yeah yeah it's essentially hashing the password alright interesting stuff there we actually now know that the password is being hashed obviously you know with the md5 hashing algorithm or protocol whatever you not call it so original and yeah that is the query statement there so we can try some basic SQL injection and some of the basic ones to log in to admin or to essentially a log into the administration the admin panel is now the thing that's weird is are we going to use the password yeah we are trying to get authentication so that means let me just close that that means if we just throw the error one more time or get thee when you able to get the query here so we are saying select actually starts from there select from users to select all queries or all entries from the user table from where email use a table so there's users all right so the user the user table has email and password okay I follow now so that means we can try we can try we can try and use The Awl statement here and probably we can use the not statement if we are going to yeah that will make a lot of sense but we only using email so we'll keep the single quotation so what that means is is if you know about SQL injection hopefully I can explain what's going on here so we know that the password is being hashed so we're saying select from the table where email and password so that's the statement so select from the table select from the users table where the email and password is going to be equal to is going to be equal to what we have entered but remember the the password has to be us to stay as the single quotation so that means Yahweh we are going to be using the all so this is basic you sugar should be knowing this but if you want me to cover it let me know so or equals so all one equals one and the other other ways of doing this I think I'll post a cheat sheet in the description section you can check it out for yourself just to get up to scratch with what's happening here so what we are saying is we're using the or the or the syntax of or is very simple it's where we have the what's happening here is we're saying we're saying okay so you if you know the syntax for how a query is made in s SQL is really very simple so we're saying select from from the table remember this is specifying a table not a column so I say select from the users table from select from the users table email password so a comparing and then we say all I know is specify the condition where the value we can enter are in two fields so we can say the value of the email can always be changed and we obviously know that that is the first account that was created and the password is going to remain the same so we hit login and yeah we get still keep on getting an error here now that is weird no because if I specify there is no comment here or one equals one yeah so it is working so you can see so select from users where one equals one and password yeah so we want to nullify and password we don't and there so for that we use the user comment here and there we are excellent so we're able to log in to the administrators user account alright so let me explain what happened there so as I said the the syntax or the query was as follows so it's selecting from the users table we're selecting the email and password and comparing them to each other so they have to match so a performing a query a simple query and what we said is or that's a conditional statement so saying or that we specified the condition where the first value is going to be equal to the the first one is it going to be equal to 1 and we nullify the the password where the password is so essentially removing authentication and we what because we're including the comment syntax for SQL alright so that was pretty simple but now the thing that's bothering me is we don't have the password so let me just check this core body and let's see what progress we've made so far so of access the administration section that's not in here that is in here so log in with the administrators user count but I know the password is so I think that's how we're going to be logging in we know the email because if I just go back into administration here administration I hope the video is not getting too long so we have the admin who have the admin email here oh yes yes yes yes we have the token so if we inspect the element and we go into the Koki editor for example we can use that or you can just use storage well I should have done it you know from the Koki editor from the beginning so we have the D token here and I talked about this in my other video actually went through this with the token so so we're gonna say token I think the site was it's a JSON tokens a token decode and should be the first site here there JSON web tokens so JWT dot io that's an excellent site and we talked about this so if you want to watch that video I'll post it in the description so you can check it out and the email is admin so that's the authentication token and that gives us all the information we need all right so we have the password here but again what is this hashed into that looks like md5 again but let me just confirm and let's see what that gives us so the password is hashed as we know is md5 so let's just confirm hash I didn't keep fire because they are yeah it is md5 so let's just decrypt that one more time so I'm just gonna paste in that hash there I'm just going to decrypt let's give that a few seconds oh my god man or the traffic lights and let's hit verify and yeah there we have the password is admin 1 2 3 yeah that's that's pretty basic but again replicating common practice that you would find so what was the email oh boy what was the email a meter sitting in block back crack alright so let me just use these statements oh yeah way so we're logging in so all 1 equals 1 because what does the I think we can access the the email from the administration sorry about that guys I know I'm getting really mixed up we're not logged in yet so uh anyway let me just log in and we can do the administration here stration and the admin I do shop at juice shop a juice op yeah that's there to confuse people so you can guess it and we're looking in with that and the password is admin one two three I'm gonna login and yeah fantastic so you solve the challenge password strength so that was the problem there that that's the vulnerability that they're trying to say exist so you know again password strength is something that people don't take into account login within message you user credentials without previously changing them or applying in skew could you have done this with SQL injection probably I'll have to cover SQL injection because me know SQL injection is one of those things that's really dependent on the query so let me just go back to the scoreboard here I don't understand what else is left there's still a lot of stuff that I have to cover I talked about cross-site scripting but I think I'll cover that in the next video we'll explain it again what is the what is the the confidential document error handling or we don't have anything much their access someone else's basket I did that what else should I want to cover here let's look at these ones right over here so yeah so the authentication area here is where I want to look at I think that's what I'm gonna end this video I know I haven't covered any advanced stuff but hopefully that's like an introduction so everywhere we have been able to log into the administrators in the administrators account we were able to get this scoreboard the administration panel what else were able to do we were able to provoke an error not sign on nothing really complex there and we were able to log in with the admin trail at the administrators user credentials now we looks like we can actually get access to Mac safe such original users credentials so again another user that we can try and get access into yeah that's going to be it for this video guys if you found via in this video please leave a like down below if you have any questions or suggestions let me know in the comment section on my social networks or on my website and I'll be sure to leave your reply and I'll be seeing you in the next video peace guys

Info

Channel: freeCodeCamp.org

Views: 635,601

Rating: 4.9421368 out of 5

Keywords: penetration testing, web penetration testing course, burp suite, hacker, hacking, kali linux, web penetration testing tools, web penetration testing with kali linux, owasp, web penetration testing tutorial, web penetration testing using kali linux, web penetration testing with kali linux tutorial, web penetration testing lab, web app penetration testing, burp suite hacking, burp suite basics, burp suite xss, hackersploit, dvwa, spidering, burte force attacks, kali, zap, dirbuster, wafw00f

Id: 2_lswM1S264

Channel Id: undefined

Length: 167min 56sec (10076 seconds)

Published: Wed Dec 12 2018