hey what's up hacksplainer super excited to be back for you with another challenge called login bjorn and we do have the task to log in with buren's gmail account without previously changing his password applying sql injection or hacking his google account and this falls into the broker authentication category so quick thing i want to point out over here is we're going to log in with bjorn's gmail account so first things first is we got to find the actual gmail account of bjorn and i do have another tab over here open which is the hashtag administration path of osp2shop in which we see the registered users if we are logged in as the administrator so this is just one way how to find out about all the registered users i will actually link you in the top right corner how to get to that point as we had found this in the previous video of mine feel free to find out about other ways and how to get it anyways here it is it says pure dot chemin gmail.com so let's take that for starters and copy that because we're going to need that later i'm going to copy it right now and we'll just leave it for later so one thing that is also interesting is that this is a gmail.com address and in a lot of cases you can actually use your gmail or your twitter or whatsoever account to log in to other web services and this is usually done via oauth and i'm having the oauth wikipedia page open over here just to give you a little idea what what is i don't want to go over all the details but it's basically an open standard for access delegation so that means if you for example have an account on google or on facebook or in microsoft you can click on login with google facebook microsoft you've seen this before i'm pretty sure about that and then you can just use the web location without actually having to register a new user so that's pretty handy but there's a lot of things that can go wrong and as we know that bjorn kimini so this is once again this is his gmail address that he was using that google account to log in to osg shop we can see if we can find any flaw in the javascript that powers and runs osp2 shop so let's go back over here and open up our developer tools and the javascript that runs it you can always find under the debugger tab and the more interesting one is the main eos 215.js file so let's double click that and that should open it up over here and if you see a string similar to mine which is super hard to read you want to pretty print this first so there is this little check box down below here that says pretty print so let's click on that print source that takes like a second and then we have the code in another way over here which is way easier to read so as we're assuming that there is an issue with the oauth login of osg shop the thing we can search for is the string oauth and i'll just do that right now and see if there's anything interesting to find so oh here we see are worth unavailable a couple of other olaf strings and actually in the meantime i want to point out what we're doing over here is reviewing the code so that is a little different from all the previous challenges we're actually not going to use verb but make sure to get a good understanding of how to review code and what to look out for and how to pass through it for javascript that runs a dynamic web app i am just using the built-in developer tools that we have coming with firefox over here and i will just skip through the code to see if there's anything interesting that pops into my eye and i'll keep going and going there's end points there is a couple of strings oh of login that seems to be interesting what else oh ng on init and what i see over here is that it says password on that line so that is interesting we're having a line that deals with oauth and it has a string password in it and remember we have to log in with purin's gmail account without doing anything like changing his password applying sql injection so this could be interesting and if we look at that it says user service of login europe params access token subscribe let e this user save email just going over this and try to get an idea of what this is doing we see over here that the email is coming out of the parameter t why this is just called t is because the entire code is minified so in the original version of the code this will probably say something different but in order to make it harder to read and compress it a little bit it is pretty standard that a minified version of the javascript is power and the web app is getting shipped so we have to deal with that this is called t over here but let's assume this is a user object or something like that so the email of that is stored in parameter email the password is coming out of parameter e and interestingly we see that e is defined right over here and it is defined by using the btoa function and then the email address is handed over to that function which is getting split first then reversed and then joined again so that seems to be pretty interesting it seems to me that we have to find out what this is doing in order to do that i'll just quickly run a google search on what btoa is so let's say btoa javascript and we find this page over here that tells us that btoa is a method that encodes a string in base64 okay so that's interesting so apparently if i go back the outcome is a base64 string and the input to that function is the email split reversed and join so let's just use the developer tools console to play around with that and the console tab is right over here as i still have the email address stored i'll just put it in here and actually put it in quotes and then i will say what if we split that because this is what the function is doing so split by and no character and we're getting an array so we're seeing that we just split every single letter of the password and an array was created okay so that's interesting but how is this going on let's keep going on with reversing that because the next line was reverse i'm reversing this and well now the letters are in the reversed order so that's pretty cool as well and now we're joining it again and now we do have the entire email address in its reversed order so let's quickly go back to the btoa function and if we look closely it actually works like this to use domwindow.beat and then hand in the string that you want to convert so let's go back and use that string over here and what i'm going to do is i'm going to my position 1 and say window btoa and put that entire piece into the function and we already see that we're getting a base64 string out of this so this seems to be an interesting string i will copy that for now and then i will just quickly go back to my debugger so now we're seeing that this string is assigned to e and that the password is e and the password repeat is also e so apparently the string we just put out in the console tab is the password so let's try if that works and if we can log in with yearns gmail account i will close this for now i will go up over here account login and i am having the password stored already so i will paste that over here and the email address was beyond dot chemin at gmail.com perfect so if everything worked out we should be logged in as pure right now as soon as i click on login so let's give this a try awesome you successfully solved the challenge login pure login with your gmail account that was pretty cool so we saw how we can use the javascript that runs the web app to extract juicy information so make sure you always do that and see if there's anything more in it that you can use to hack the web with that thank you as always for watching make sure to subscribe in the top right corner and i'll see you guys soon