Hey guys, hackers, Floyd here. And in this video, we're going to get started with the web application penetration testing series. Alright, so a lot of you guys have been asking for this, mostly because you want to learn the art of bug bounty. And here is the series. So have worked really, really hard on, you know, making it as comprehensive as possible, we're going to get started with setting up burp suite. So for those of you who don't know, what works, who it is, burp suite is essentially an integrated platform for performing security testing of web applications. Alright, so the first thing you need to understand is that it will allow us to intercept the data being sent between your browser and the web application. So it's, it's a great way of understanding how data is being transferred, and how data can be manipulated, be manipulated, between the client, and obviously, the web application. Okay, so the tool we're going to be using, as I said, is burp suite. And I'm currently running power to us. So don't worry, if you're running Windows or Kali Linux, it doesn't really matter, all we need to do is just download and install burp suite, it's pretty simple to get set up, you don't have to register, you just download the free community version. Now, obviously down the line, you might choose to buy the professional version, which I do recommend and I have used, but I don't use it as often I'm not, you know, specifically a web penetration tester, I'm more of a more of an of a web server penetration tester. So I really work with a different vectors. So by default, you can choose to bite that one to become experienced. And you know, you've chosen whether this is the path that you want to pursue, it's a fantastic path. I know a lot of people who you know, make good money with bug bounty. So you know, it's something that you can look into as well. Alright, so let's get started with setting up the proxy. Alright, so this is the intercepting proxy that allows us to, obviously, to intercept the data being sent to and from the client and the, the web, the web application. So to do that, we need we can just do it through Firefox. So the browser I'll be using is Firefox, you can use whatever you want. And by default, you want to go into your preferences that can be found here preferences, there we are. And you want to go all the way into the bottom here. That way it has the network proxy, and make sure you go into settings, and you want to go into manual proxy configuration. Alright, so this is where we're going to configure it to be the localhost with the port set at 8080. All right, and then you want to make sure that this, you use the server proxy for all protocols. So that is the proxy we're going to be using and just hit OK. Alright, and once that's done, you should be good there. Now what you want to do is just open up burp suite, so you can search for it, or I have it already on my on my little Taskbar here. And I don't think I've updated it for a while. So I probably need to do that later. But for now, I'll just close that the update prompt and it's going to prompt you Welcome to burp suite. And it's going to say not depending on the version that you've chosen to select whether you've chosen the community version, which is what I have here, or the free version, as it's called, and you then have the pro version. So by default, the community version only allows you to use a temporary project, if you have the professional version that allows you to save your project, which is, you know, great functionality as well. So just hit next and you just want to use the verb defaults. And just hit start. And just give that a few seconds to start it up. Alright, and I'll explain the interface generally, but we'll be looking more into how burp works. In the next video, I just want to get you set up with birth in this video, and you understand what exactly is going on. Alright, so welcome to birth. Now by default. Again, it may seem a little bit intimidating mostly because if you're a beginner, you have not heard of any of these of these words here and you don't really know what they're doing. Alright, so by default, you have your target proxy spider scan into the repeater, sequencer, decoder, compare extender, your project options, your user options, and alerts, we'll be going through all of this as we as we, you know, perform real world testing on our on our vulnerable on our vulnerable target, I'll be showing you how to set up a dam vulnerable web application soon, and many others but for now just focus on burp suite. Alright, so by default, you want to just go into proxy. Alright, and for some reason, I already have some data here. So you know what, I'm just going to leave that as it is, I just want to turn our intercept off. So we're not intercepting any traffic as of yet. And you want to go into your options. And you want to make sure that your proxy listeners, as you can see, burp proxy uses listeners to receive incoming HTTP requests from your browser. So you want to make sure that your proxy is set as the as the one we set in Firefox, which is the localhost 120 7.0 point 0.1 and the port is 8080 and make sure that that is running. Alright, you can also create your own and add it here and you're going to To remove it, so you get the idea. Now by default, if I just go back to my intercept, if I just go back to my browser, and this is where the real magic happens, if I just, you know, if I just open this, and I type in a simple test site example.com, and I just hit enter, alright, it's going to load it up here. But if we're going to burp suite, and I go into HTTP history, you can see that by default, there are some Firefox portals. You know, some get methods here. But we'll be looking at all of these methods or requests. By default, you can see that the example.com, the example.com, one would, you know, that we ended, you can see there is a get request. And furthermore, if you go down to the bottom here, you can see there is some more information regarding now what a request are sent to the web application. Or so by default, you can see that the host was example.com. And it gives you more information, like the Accept language, the encoding, the connection. And if you look at the headers, you can see that the header shows, you know very clearly, you have your get host, use agent accept language, the Accept encoding, connection, etc, etc. So you might be a little bit confused if this is your first time hearing about, you know, headers, and the request and response pairs. But don't worry about that we'll get to all of this for now, if I just go back into intercept, and let me just open up my browser here. And we open something like the my web, my website, would you say it just like.com. So before we do that, I just want to hit intercept on. Alright, so now it's going to intercept actively. And we just go into Hs pro.com. And I hit go. Alright, now by default is going to tell me that essentially, the mic connection is not secure, don't worry about this, just go into your and just add this as an exception. There we are made confirm exception. And now it's still not going to load the website. And the reason being is we have not forwarded the request. And they are being intercepted by burp suite. Alright, so if I go into back into burp suite, you can see that it has started the intercept process. And by default, you can see that we need to forward we need to forward the request here. So if I just forward it, let me just for that again, there we are, let me just for them for hackers out there. Yeah, that's the correct one. So all for this again. And there. We also know hackers blade should be up and running. And as you can see, I should have loaded the site. Give that a few seconds. There we are. Alright, so as you can see, that is how you intercept the data that is being sent from the client to the web application. And furthermore, that's how you, you can analyze the data being sent, and furthermore manipulated to obviously find vulnerabilities within the web application. Alright, so irregardless of all of this, I know, this was very, very basic, and it's not really covered anything in terms of web application penetration testing. But don't worry about that, you know, we start off really, really simple. And we build on that. We're going to get started with spidering, more specifically spidering, with burp suite. And, you know, the purpose of this video or this tutorial, is to help you understand the spidering process and how to go about doing it with a burp suite. Alright, so there's going to be a little bit of theory here, but I'll be explaining a lot of things. So again, this video is really focused on understanding spidering. Now, before we get started with that, I just wanted to let you know that the target or our web application that we're going to be targeting, we're going to be attacking is the damn vulnerable web application. Now, if you don't know what the damn vulnerable web application is, that's fine, you can just Google it. And I'll probably make a video on how to get it installed on Kali Linux. But what I would recommend if you're, you know, beginner, or even if you're a professional in hacking, probably one of the best things that you need to have, you know, in your kit is Metasploit able to write and for the simple reason that it contains, first and foremost a vulnerable operating system. And secondly, it contains all the vulnerable web applications that we will be using at one stage during this series. Okay, so we're going to be starting off with the damn vulnerable web application. As I said, it comes pre installed with meta splittable, too. So all you need to do is get the local IP address on your mat, exploitable to virtual machine, which in my case is 190 2.1 68 point 1.1 a dupe. So what I'm going to do is I'm going to open up my browser, and I'm just going to open up that webs that IP address point 1.1 or two, and just give it a few seconds to load up. As you can see, there we are, that's made exploitable too. And it's going to prompt us to select what vulnerable web app we want to use. In this case, we're going to select the DV w A, which is the dam vulnerable web application. So just click on that and it's going to ask you for your admin and password in this case for your username and password Sorry about that, in this case Your username is admin and the password is password. Alright, so just hit login, and it's going to log you into the damn vulnerable web application. Now we'll be looking at this at a more in a later video. And the reason is we have to go through all of these options. But for now, if you go to the login, just remember where it was, if I can just go to the security, so to the dam vulnerable web application security, at the moment, it was high, because I was actually performing some tests on it, but just change it to medium or low. But for now, you wouldn't be using it. I was just letting you know what web application we're going to be using. Alright, that being said, let's move on to burp suite. All right, and we can I can start explaining the spidering process. Right. So let me just open up burp suite. So I've updated it to the latest version. I think I'm running Catalina next now in the previous video, I was running parrot. So I think there should be an update, but I could be wrong. So let's just give that a few seconds to start up yet there is an update. So I'll do that later. And we'll just click on create our temporary project and use the bap default and start that. Okay, so once that starting, let me explain what spidering is right now the purpose of spidering is to identify our scope, alright, or what, what we want to scan. Now this is not exactly scanning, and we'll be looking at scanning. But essentially spidering is the process of mapping out our web application, and is very, very useful for finding links and and web forms, which is also very important because it will allow us to then furthermore, attack the web forms manipulate headers, etc, etc. Right now, when you talk about automatic spidering with burp suite, it essentially when when burp is spidering, it follows links and it will, it will start following links and it will start identifying for files, folders and forms from the web application. And it will, the great thing about this is it will record all the requests and responses while it's performing the the old spidering process. Okay, so once you have a burp suite opened up here, you can let me just expand it. So we have a greater picture of what's going on exactly. Sorry, if my virtual machine is a little bit slow, I need to configure it correctly. Anyway, what you want to do is we have looked at the proxy check section, let's look at the spider section. And in here, this is a very, very simple menu and to understand it, you can see that we have two tabs available, we have the control tab and we have the options tab. Alright, the control tab. Essentially, if we just click if I just look, if we look at it, as you can see, these settings are used to monitor and control the web spider. So it allows you to stop to start and stop the burp spidering. And you can also clear the cues. Alright, when you look at the options, which is right here, sorry about that, when you look at the options, there are a lot of options, we'll be looking at them, I will be looking at them in a second. Sorry about that, I actually got an email, apologies that. Let's get started. Now with the control section. So the control section, it will all we are able to control the spider status where we can stop it and started and you know, furthermore, we can clear the cues that already exists there. Alright, we then have the spider scope where we can, we can define our own scope. And depending on what we want to spider, we look at that in a few seconds. And finally, we look at the well if we look in the Options section here, we have the crawler settings which allow us to specify the way the spider is going to crawl for the web content on the web application, we'll be looking at the maximum link depth and what that means passive spidering that allows us to essentially spider to continue spidering when we are looking through or we're going through the web application, we're performing requests and responses when we're performing requests. As for the form submission, this is probably something that we'll be looking at in the next video and we'll be doing this. Practically we will be actually performing the we'll be performing the spidering process. But for now, let me see what else Yes, the request headers. The request headers are used to you can manipulate essentially the headers. If you've learned about HTTP headers, by the way, I really want to cover HTTP because it's very important that you understand how the ad is work. But we'll be looking at this all in advance. But now let's start off with the spider status. Well, not really with the spider status. But looking at the control tab. If you look at the spider scope, you can see that you can it will use the default suite scope, which is defined in the target tab. If you just click on use a custom scope, you can see that Okay, first, you over, if you just click on this little cog here, you can restore the default, you can load your own and you can save the options. So that's just to do with that. Now when you talk about using the advanced scope here is where you can essentially this is where you specify what you want to map so you can specify a host, the port, etc, etc. Okay, again, we'll be looking at all of this as We move along. But for now, we're just going to use the default suite scope, we can just, if once you click on that, it's going to start the spidering process, but we don't need it right now. So I'm just going to come just going to pause it. And if we move on to the options now the Options tab has a lot of stuff that we need to look into. First and foremost, we have the CRO, the crawler settings. Alright. So when you're talking about the basic options, for example, we can specify what the spider will crawl for. So it you can choose to select for robots, the robots dot txt file, which is very important because it shows you, you know, exclusions, you then can detect, you can ignore the links to non text content, you can request the root of all directories very important stuff. But again, you can customize this to your liking. Now, one of the things I would recommend that you'd not touch with, if you do not know what you're doing yet is the maximum link. That's right, the maximum link depth is essentially the number of links you want the spider to, to essentially, to crawl or to map. Now by default five is in my, in my, in my situation, or in my case, what I like doing is alternating between three to five, anything higher than that will usually overload the web application, and it will cause it to lag or to respond very, very slowly. And, you know, again, that might not mean a lot right now, but trust me, when you'll actually be performing the penetration test on the web application, you really need a good response. Otherwise, you have your time to live, etc, etc. Okay, so let's look at what passive spidering is, alright, so as passive spidering. And said, is essentially just, it allows you to continue scanning, you know, or going through, or actually performing your requests how as as it, it essentially allows you to continue the spidering process as you're performing any other tasks. So as you can see, passes by during monitors, monitors traffic through the burp proxy to update the sitemap without making any new requests, right. So passively spiders you browse, you can also select the link depth associated with proxy requests now this, I would recommend keeping it at zero to two. And that's because again, you do not want a very, very deep alert link depth in the sense that you're also going to be performing your own requests, and you'll be doing many other things you could be looking at the decoder or you could be looking at, you could be focusing on the target, and you don't want it again to to slow down the web application. Alright, so form submission. Again, this is something that I said we'll be talking about in the next video, because it is quite advanced. And we'll get started with the damn vulnerable web application there. Moving on to the spider engine, we'll be looking at application login as well. But for now, just we'll just keep over that when we talk about the spider engine. Alright, these settings control the engineers for making HTTP requests one spidering. Right. So this allows you to change the number of threads you want to use. And as I said, using more than we can see right now it's at 10, what I would recommend is still keeping it within the range of two to five are all you might, you might cause the web application to slow down. And these are more advanced settings that you can use dependent on timing. All right, and we've talked about the request headers, they allow you to modify the way the spider will we look towards the web applications, for example, you could you could edit the the device that is being used. And you could change it, for example, into a mobile device and you get the idea you you essentially allows you to to change the request headers. And from that, obviously, you'll get a response back, dependent on what you changed. Alright, so that was the spidering, or actually the theory revolving on spidering. Now we'll be looking at how spidering really works in the next video. I know some of you may not like this that I actually went through through theory, and I haven't talked about doing anything. But remember, it's very, very important to understand what exactly is happening behind spidering. And in the next video, we'll actually get started with the spidering process. Get started with brute forcing with the rates or our vulnerable web application of choice is going to be the damn vulnerable web application, as we discussed in the previous video, alright, and I'm going to be using meta exploitable to as our as my server. By default, you can install medispa, you can install the damn vulnerable web application on your Kali Linux, and you can host it on your local on your local server. And you can you can then perform your attacks. But I like running it from another virtual machine. And as you can see, I'm running it on the Metasploit able to virtual machine. And by default, it's connected to my local network and it's bridged. So you can see that my local IP address is 190 2.168 point 1.1 or two. Alright, so I already have the damn vulnerable web application open as you can see it is running on the that IP address of the meta splittable to virtual machine on the the damn vulnerable web application. So for those of you asking why I'm using Metasploit able to instead of meta splittable. Three, it's because Metasploit able to has a much larger choice in terms of vulnerable web applications. And it's really good for practicing. Alright, so make sure you're logged into your damn vulnerable web application, you need the default username is admin and the password is password. Alright, it's really very simple. Alright, by default, In this video, we're going to set our security level too low. If you don't know how to do that, you can go into your deverbal web application security. And you can set that too low, and you can just hit submit. The reason we're setting it too low is because most logins Are you know, if you look at the real world, if you're talking about big sites, this attack may very well work on sites that are older, or sites that have not been updated, or sites that don't have good security, you'll be shocked to find some really big companies that actually don't have any login protection, or brute force protection for that matter. Now, that being said, what I was talking about is if we go to brute force, you can see that we have a login prompt here. Now I forgotten the username and password, and we're going to be brute forcing it live. Alright, but before we do that, we need to actually start our birth. Alright, so start up that suite. And you can see I'm using the Community Edition. And it is the latest version, right? So make sure that yours is the latest version, obviously, for obvious reasons. And we're just going to start a temporary project because I don't use the pro version. And we're going to hit use the birth defaults when you start work. Alright, give that a few seconds to start the to start back. And now you want to make sure you you're using the proxy. So we're going to go into preferences, and advanced and whoops, burp is oh opened up, let me just go into my proxies, network settings. And we make sure that it's using the manual proxy configuration, which is the localhost 120 7.0 point 0.1. And the port is 8080. We're gonna hit OK, excellent. Now we need to move into burp back again. And we want to make sure that we go into proxy, and the intercept is set to off. All right, the reason we're setting the intercept off, is because I just want to show you something first. Now by default intercept essentially just means that you're not intercepting the request, the requests and the responses being sent from the web application to your browser. Okay, so we have already set the proxy for the browser, but we're not intercepting. So if we just test a random username like test, and we say a password like 12345, you can see if I hit login, it's going to tell me that that is incorrect. Now, if I set the intercept to on to see the request, let me just turn it on. And we can now reload this we can say test and the password 12345. We can see that now it's for some reason, let me just forward that after actually just turn that off. And we now see log in. And for some reason that is not allowing us because you have to reload. Alright, so now if I hit intercept on, and whoops, let me just open up my browser and hit the parcel 1345. Log In. For some reason it's going to, it's going to slowly reloading here. I probably there we are. Alright, so I've reloaded the page. And as you can see, now the intercept is on and we go back to burp, you can see that we got the get request being sent by the web application. Now let's inspect it for a while now we'll be looking at what all of this really means but by By default, the most important thing right now is the get request. Alright, so you can see that the get request has two values here. It has the username and the and the password. Now the values again are not important we're going to be brute forcing the values but it's very important to get the fields that we're using here. Now what am I talking about if you look at the cookie you can see the security is low. And if you were to edit the value and for the package, you can set it too high that is basic stuff that's good stuff right? But now we want to brute force this login. Alright, and how do we do that you can see the first thing we need to do is we're going to be using the intruder alright so if you're a bit confused about what the in today's Don't be worried intruder is essentially allow allows us to edit the parameters, it allows us to edit the requests and then obviously edit them and manipulate them so we can get the desired results. Now the great thing about there in the intruder is it allows us to perform attacks like the brute force, etc, etc. Alright, but now what we need to do is we need to send this request into the intruder so that we can send our own response. Alright, so we're going to right click and send to intruder. So we just send it to intruder. And once it's sent to the intruder, you can just hit forward. Alright, we don't need window, we don't need that GET request anymore. So now you want to go into the intruder and you want going to your positions. And as you can see in your positions you have got you have got the get request that we were we just intercepted. And now you can see something really interesting. It's highlighted for you all the different payloads. Okay, all the different fields that we can brute force for. By default we have the username value, the password value, the login value, we have the F the SF ID value, we have the the cookie value, no No, no, we don't need all of these The only values that we need The username and the password value. So the most important thing you need to do right now is you need to clear just hit clear. Alright, oops, sorry, not that clear. I beg, I beg your apology there. I sorry, I didn't mean that what I'm trying to say is I'm sorry, just clear, just hit clear. And as you can see, now, no values are being selected to be brute force against. So now we need to select them manually. But before that, we're going to be using the the cluster bomb attack type. Alright, the reason we're using the cluster bomb attack type is because we are going to be using two values, we are brute forcing against two values. Remember that, okay, and these need to be set in, in combination. So that means it's much better to use a cluster bomb because essentially, you're clustering to values that need to be that need to be tested against the login, the login application, or the login form together, alright, so in a combination, so we need to select cluster bomb. And now we need to select the values because those are the those are that is what we want to brute force again. So just highlight the value, it doesn't matter the password or the username is just highlight it, and you want to hit Add. Alright, so just hit Add. And as you can see, we have selected that, you know, going to the password, and you want to highlight that as well. And you just want to add that, as you can see now once you have added that those are the two values we're going to be brute forcing against, make sure that none of the others are selected none of the other values. Once that is done, you're you're almost there now. Now you want to go into your payloads. Right now in your payloads, you want to make sure that your payload set is set to two, which is your username and your password. So let's start off with your payload set as payload one, all right as your payload type, make sure that that is a simple list. Because you can see we were only targeting usernames and passwords. So we don't need, you know, a runtime file, or we're not changing anything, you know, dependent on Unicode etc, you get the idea. Okay, so simple list. And now you're going to your payload options, which is where you select your user list or your password list or your word list. Now, we're not using a word list. But if you want to, you can if you're performing this on a real site, which I don't recommend unless you have written permission. Now since we're using this in our penetration testing lab, we are going to just add the default usernames and said the security of the site is low. And it's not really a complex a brute force to crack. Okay, so what we want to do is, we want to make sure we have set payload set to one, which is going to be for our usernames. So now we can go into load where you can load your default usernames and your passwords or your word lists, but by default, we're going to add our own Alright, so we're gonna say, whoops, we, for some, we're just gonna say, we're going to type in a now like the commonly used usernames, alright, so something like admin, administrator whoops, for some reason, actually, let me just remove these blank values there. admin now administrator, administrator, let me just type that back in. administrator, like, so administrator, for those of you telling me that my typing is bad. That's because my microphone is right in front of me, and I can't really see what I'm typing administrator. Let's see what else what are the default ones like we have root, we have password. Actually, we're not setting the passwords right now. So we can just type in the default ones like this. All right, so we can say test, you know, the default ones, user one, whatever you think could be the most commonly used ones, okay? Or if you know what the username is, that is even better. So we're gonna add all the usernames. Alright, so we've added the usernames that we want to use. Now by default, again, I'm saying you can use a word list if you want to just go into load and select the word list. Now we want to select our passwords, right? So we can go into the payload set to. And as you can see, now we can add our own values. Now we can use the default word lists that come with Kali Linux. So if I go into my root, and I'm going to use them, share and reselect word lists, let me just find where word lists are. If I can find them, there we are word lists. And they are the ones that work great for me in the Metasploit folder. And you can look for the default passwords. As you can see, you have your database default passwords, you have your default, user password for services, that's also great. It has a great list of of default usernames and passwords that you can use. But for me, I'm not going to use this because we are sticking to the basics. And now you want to add your own password. So we can select again, some randomly, you know, commonly used passwords. So pass, you can say password. Let's see what else admin, you know, admin again, whoops, let me just remove that one admin. Route, you can use route. Let's see, let me think 12345. That was the one that I've seen many network administrators using 12345. And you get the idea. All right, so we've set our two payloads. payload one is set for usernames. payload two is set for passwords. Excellent. All right now, we have selected our payload types we have selected we have added our payload options. We don't need to look at payload processing that is advanced once That's done, what you want to do is going to intruder and start the attack. Alright, and now it's going to tell you that the Community Edition of burp contains a demo version, but it's essentially telling you that the process is going to be slow. Alright, so we're gonna hit OK. And it's going to start at the attack. As you can see, it's going through all the combinations. And as you can see, the combinations that we have here are 25, and is going to go through all of them. Now, one great thing that you need to do here or one important thing that you need to do is you need to understand the the the status codes that the server or the web application is sending back. Now, that's a good way of, of understanding what password is correct? And what what username is correct and what password is not correct. Okay. So if we look now, at the, at the results, as you can see that it's finished, it's going through the brute force attack, we check the status, the status is still the same, we have a status to 200. If we look at the length, right, the length is going to be still the same. But you have to look for things that are not that are not matching. So for example, you can see that the length here that was returned was 4948. And it's not, it's not following the format of the others. So that means that this could be the username and password, don't worry about the status, the status will still remain the same, regardless of that. But when we'll be looking at Advanced Server penetration testing, that's something important. So you can see that the get that we've got here is very important. Now if we look at the if we look at the response that will be sent. Right there, you can see the response. And if we render it, you can see that if it was successful, it will tell us that we've logged in successfully. So let me just browse down all the way as you can see, welcome to the password protected area admin. And there you go, that is the username and the password is admin and password. Now again, this was really simple. Again, you can you can increase the security if you're practicing on your own. But you can see that this really works. And this is how to utilize burp for advanced stuff like brute forcing. Now again, most of the advanced websites nowadays have great content management systems that have the security plugins that essentially prevent you from brute forcing or lock you out. But most of the oldest sites, you'll be, you'll be actually quite shocked to find out that they are brute forces, they are log informed sorry, are not protected. Now we've already logged in, and you can see that the default username is admin, and the password is password. Okay, so you can look at the role. The raw HTTP here, you can look at the request and the response. Or you can look at them and you can inspect them, if that's what you do. And you can look at the headers, what's being sent, all that good stuff. But that was going to be it for this video. And now if we just go back into burp, let me just go into my proxy. And I'm going to disable intercept. And we can try and log in here. So we know that the admin username is admin and the password is password. So let me log in. And welcome to the password protected admin area fantastic. In this video, we're going to be looking at selecting our verbs with our target in web suite, adding it to our scope, and then finally spidering it as my vulnerable operating system, I'm going to be using the Matilda de which comes pre installed on Metasploit able to so you should download Well, I would recommend that you download Metasploit able to, it's a fantastic option for any of you who are just getting into penetration testing offers multiple vulnerable web applications and vulnerable systems that you can practice with. So again, it's something that I really, really recommend. That being said, as you can see, I have made exploitable to virtual machine running. And I have already looked at my local IP address, you can do that by typing in if config that will display to you your your current network interface and your local IP address. Because we are doing this in our virtual penetration testing lab. Alright, so let's go back to Kali Linux now. And I'm going to open up my browser, make sure you get your IP address. And as I said, again, we're going to be using motility. So if you don't know what Mattila day is Mattila day is simply a vulnerable web application. And the reason I'm switching I'm switching from the damn vulnerable web application is because I want to show you a few, I really want to make it a bit diverse in terms of the web applications that we use. Alright, so let's get started now. Now I already have the IP address of my virtual machine opened up here in my browser, as you can see, 190 2.1 68 point 1.14. So if I reload this, you can see that it indeed is the meta splittable to server and I can just go ahead and click on Mattila day. Alright, now what I should do now is go into my preferences, you can do that by opening a new tab. So let me just open a new tab here going into preferences, and then selecting advanced and network and finally settings. And then you want to make sure you select a manual proxy configuration. And then make sure it's using the localhost proxy, which is wondering 7.0 point 0.1 Port 8080 and hit OK. Once that's done, we know that burp suite can intercept. Not that we want to do that in this video, we just want to, we want to have a look at, we want to map the web, the web application. Alright, so we're not going to change anything in Mattila day. But I'm going to be showing you some pretty interesting things in this video. So now we should start up burp suite community. Now I'm going to be explaining something at the end of the video that is really important. And it is in regards to the community version, and the professional version of burp suite and what what the differences are and why you will need at some point to get the professional version. Okay, so I'm going to select a temporary project, I'm using the community version as of right now, hit Next, use the bird default, and I'm going to start up. Alright, so it's going to start burp suite. And let me just minimize the browser here. So give that a few seconds to start up. And once it starts up, what you want to do immediately is turn off the proxy, we want to stop in the intercepting because we are not intercepting any requests, or we are not inserting any responses. So go back into your target. And now we can get started with with actually reloading the page right here. So let's reload that. And we should be able to see what's going on. And we should have the sitemap. Alright, so let me just open up the burp suite here. Fantastic. Alright, so now you can see something very interesting has happened here. In our target. And sitemap, we have the files that were discovered here. Well, essentially, we have the web server that then has the modality folder, which is our target. Now before I get into any of that, the site map will show you the current site map. Obviously a site map is essentially sorry about that a site site map is essentially the structure or the format of the webpage, and how the web page was constructed and how it will function in regards to every other piece of content. Okay, so the first thing that we need to do, or we'll be looking at is actually selecting our target, which in this case, again, is Mattila day. And you can do that by right clicking and hitting add to scope. All right, so you might be asking what exactly the scope means? Well, a scope essentially allows us to define our automated spidering. And what this means is we are focusing our only on our target, we're not going to focus on the reference links, like you can see here, for example, we have to it as a reference link, backtrack, dynamic drive, Eclipse, etc, etc, you get the idea. So scoping is essentially selecting our target, isolating it, so that we only see what we need to see. And the obviously the results that we want to see. So I'm going to right click on Mattila day, and I'm going to hit Add to scope. Alright, so now it's going to say you've added an item to to the target scope, do you want that proxy to to stop sending out scope items out of scope items to the history of the other bedtools? Yes, again, we want to make sure that we are we clear out all the junk that we don't need. Now you might have noticed? Well, that's essentially happened, but nothing is really changed. And as you can see, it's gonna tell you here logging of out of scope, proxy traffic is disabled, don't worry about that, just leave it as it is, if you want to re enable it, you can go ahead but right now you don't need to do that. Okay, so we've looked at how to add our target to the scope. Now, let's look at spidering is essentially the the first and the most important step of web application penetration testing. Alright, it is it deals with or it is in it is in relation with footprinting. And this is why I bring the comparison from penetration testing to obviously web application penetration testing it is to deal it essentially deals with crawling through the website. And then it records all the files, the links and the methods and the methods that it can get. And that helps us build an idea of how the web application is structured, how it works. And then finally, we can learn how we can break through it. What we need to do is we need to spider our target. Well, we have added it to the scope, which is great. And now we need to spider it. So what we're going to do is we're going to we're going to use spider and this will help us identify all the links and the parameters that we need. Again, as I said, it's like footprinting. So what you want to do is right click on your target, which in this case is Mattila day, and you want to spider this branch. Alright, so I'm going to spider this branch. And no, something interesting is going to start happening. As you can see, it's going to start getting all the links all the resources that it can, and it's going to prompt you with here a submit form. Okay, now, what you can do is just ignore the form, there'll be quite a few essentially, these are default login forms where it's asking you to enter credentials that you might want to enter, let's say you, you're performing whitebox, then Richard testing and you have the details. You can again log in like this and perform internal penetration tests. But we're going to assume that you're you do not know your penetration, you're essentially performing a penetration test on the security. So I'm going to ignore all of these forms. Okay. And as you can see, there's another one right there and the spidering is probably continuing. Now if you want to view the status of these By doing, you can go into spider. And as you can see you have the status of the spider. And once it's done, you will see that the requests made will stop changing. And the bytes transferred, will also stop changing so we can stop the spider. Now you noticed something that we were faced with those are form login prompts. Now, you can choose to enter them as a prompt or as you're prompted, but the better way of doing this is to actually you actually do this automatically. And you can do this by going into spider. And you want to go into options, and you want to go in to your application login. Alright. Now, if you look at the form submission, it is essentially what it's doing is is going to use the default form submissions that you would find in a database. So for example, we have male, first name, last name, surname, name, address, you get the idea. So those are default values that one would, one would be expected to find. Now we're looking at the application login. As you can see, its option is set to prompt for guidance, we want to change this to automatically submit these credentials. Now in here you can enter default credentials. Or if you have an idea of what the credentials you might expect to find. Now, this is where creativity and sheer information gathering comes into play. So if you need a new the default, you know, usernames and passwords, you can enter them here. Now what I'm going to do is I'm going to enter a string that is, well, I've used it before in performing SQL injection, and we'll talk about SQL injection because it is very advanced. If you know SQL injection, or you have you have an idea or experience with the databases, you might understand what this string means. Alright, so for my username, I'm going to change that to admin, quotation mark and say, or one equal one, and two dashes. All right space and a dash. Now you don't need to worry what this means for now, please do not stress about this, I will explain it when the time is right. All right. So leave the password as it is. And don't worry about that. Now, we had, we don't need to change anything in terms of these tabs, we talked about these tabs in the theory section. And now we can go back into our control and target. And finally, we can spider the application again, once more so that we can enter the we can essentially process the strings that we that we just entered in terms of the user name, so I'm going to right click and spider this branch. Okay, so it's going to start spidering. And if we look at the spider, you can see that the the spidering is complete. And you can essentially clear the cues if you want to clear the clear them like so. And you can keep on running it depending on what you want to do. Okay, so I'm just going to pause it. And now we have essentially spidered the web application. And you might be asking, well, I've seen a few reference sites, that's not helping much, you know, we don't need twitter.com or you know, sizzle js, this might give us a basic idea of what types of sites are linked to to the web application. But in reality, you can see we have hackers.org not not very important information at all. Now, what if we click on the Mattila day folder? Oh, look at that. That's really interesting. Now that is very, very important. What has happened here is it's given us the structure of the web application, this is vitally important. All right now, again, as I'm saying, you can look at how the website or the web application is structured. So in documentation, you can see you can go ahead and read the documentation, you can look at the images that the website has the styles, so you can inspect the entire site and understand what exactly is going on here or get an idea of what the person who developed the website was thinking. And then finally, out of experience, or as we'll be looking at out of knowledge, you can actually understand how to exploit the system. And that we will be talking about discovering hidden files, hidden files, like admin pages, login pages, you know, that really juicy stuff. And we'll be talking about that in the next video. And that's because that sweet Community Edition does not support or have allow you to use that feature. So what I'm going to do in the next video, I'm going to be using burp suite Pro, and also show you an alternative program. I'm sure you've heard of it. That also works on Windows. Of course, that's how it works on Windows. But I'm not really a Windows fan when it comes down to penetration testing. So that being said, we have essentially spider the application we have the structure of the web application. And now we need to look at something also very interesting as we have already talked about it. Let me just complete. Let me just show you how to get rid of all of these reference links and to essentially show the items in the scope only. So what you can do is just click on filter right here, this little bar here is the filter bar. So click on it, and it's going to show you bring up this smaller window and you want to focus on the filter by request type and make sure you check show only in scope items. This will essentially filter all the results to show you only links or resources or files that are within the scope. So once that's done, just click back on the filter. And as you can see it has got rid of all the junk that you do not need whatsoever. And now you can essentially look at the, the requests and the responses and analyze them accurately defined to your scope. And this will essentially, it will stop confusing you, I've seen many beginners make this mistake where they don't define the scope. They do not know what the target is, and they're getting links that are not even relate to the website that they're, they're trying to perform the penetration test on. Now, since you know this knowledge, this will help you get a solid foundation. And again, you can start logging out of skip out of scope proxy traffic when you want. Again, that's very nice that they add that button right over there. Alright, so now you only have the files that you require, or the files that you're currently performing the penetration test only. Now I know this, this video was slightly, there was not a lot of action. But again, it is very important that you get this in the next video, we'll be looking at how to how to discover hidden files or files in general that you are not supposed to find. Okay. And that can be done by right clicking and going into engagement tools. As you can see, it is defined to the professional version of burp suite. And we will be going into discover content where I'll be explaining to you how to find things like the login page or the configuration page. Some things that web developers, you know, actually just may try to hide them. But if it's actually found, can really exploit the website or can lead to the exploitation of the website. We're going to start looking at how to discover hidden files. But before that, I just want to take you through a few things. Alright, so let's start off with what OS base or o w SP. Alright, so what does that mean? Well, essentially what it means, or what it stands for is the open web application security project. Alright, and its goal. Well, essentially, it is a nonprofit organization whose goal is focused on improving the security of software. All right, so its job is to improve the security of software. Now this project, the O w SP, or the open web application security project, created a tool called as the Zed attack proxy. Or as you know, it the zap, many people like calling it zap. And I'm sure most of you have heard of it. And you might have been, you might be leaning towards burp suite a little bit more. But I can guarantee you that zap is one of my favorite tools. And I use it because firstly, it's free. And for the people like for the students I teach, I usually tell them to start with zap because if you get zap, you'll automatically get burp suite. And you only need burp suite when you're moving into an enterprise environment where you know, burpsuite is the recommended tool. And it is the tool that you must use to adhere to certain rules and ethics. That being said zap is a fantastic tool. It's absolutely free. As you can see the old w SP Zed attack proxy proxy, which is, you know, abbreviated as zap is one of the world's most popular free security tools and is actively maintained by hundreds of international volunteers, right. So it helps you find security vulnerabilities in your web applications while you're developing and testing applications. So again, if you're a web application developer, this is also a fantastic tool for you. And as I said, it's going to be a fantastic alternative to do burp suite. All right now that's not to say that burp is bad. burp is more of a enterprise an enterprise developed software. As I've mentioned in the for the first video of this series, burp is focused on professionals. Now that's not to say that zap isn't, but you'll get the idea. Alright, so I'm going to be making a separate video on installing zap and I'm going to make a video on how to get accustomed to the interface because it is slightly different. And the language or English used for the interface is again very well obviously very different but it is quite different. So again, getting used to it was also something that is quite helpful because we'll be needing some of the enterprise features and on only a tool like zap will be a great alternative. However, if you do have burp suite Pro, go ahead, it will it will just be the same thing. As I mentioned in the previous video, it's really very easy to to follow up where we left. Okay, that being said, it runs on the same network proxy, it runs on the localhost. So make sure you're running it on the localhost and on port 8080. I'll be showing you how to change the port if you so feel you want to. That's also another great thing about us as AP is it allows you to change the proxies. So I have Mattila day opened up here and it is again running on my Metasploit able to virtual machine and it's running on the IP address my local IP address 190 2.1 68 point 1.104 as you can see Mattila day. Alright, so that's working perfectly. So let me just leave those other tabs open because again, there's no there's no real harm. Okay, so, again, you can configure the material at a security level if that's what you want, you know to do to make things harder. But I'm just going to be showing you the focus of this video, which is how to find hidden files. Now, you might be asking, why do we need to find hidden files? Or why do we need to discover these hidden files or hidden files? Firstly, are the files like admin login pages, you know, maybe a robots dot txt, but that's not really something that's hidden nowadays. It could be a txt containing maybe usernames, you know, something really weird, or, you know, pardon my English or pardon my language, something dumb that the web developers left behind, or, you know, just not configured correctly. And you'll see what I mean in a few seconds. All right. So again, these are the files that are hidden, and you will not find them after spidering, your web application or website. Alright, so let's get started with zap. As you can see, I have the logo right here on my it's added to my favorites, let me just launch it, give it a few seconds, and it should start up. There we are, the zap, give it a few seconds again, and make sure you update it usually the updates for the modules very, very regularly. So make sure you update them to the latest version, as they improve the speed and so on and so forth. Alright, so it's going to prompt you here, do you want to persist the substation, that means Do you want to save this app session, I don't, I do not want to persist the session at this moment in time. So I'm going to start. Again, don't worry, if you're not familiar with the interface, I'll be going through it in another video because it deserves Now you might be a little bit overwhelmed. But do not worry, do not stop going to you know URLs to attack that may seem really really tempting. But again, you know, let's take it nice and easy. So let's talk about the proxy, how to change the proxies. So to do that, you can go into your cog right here, as you can see, or you can go into tools and go into options. Alright, but I like going into this little cog here. And once you press on, once you click on the cog, let me just enlarge that, you will see that you have this huge menu. And again, as I said, zap is a really advanced tool, and in some cases can totally replace burp suite. Now, looking at the proxies, you want to go for the local proxies right here. It's obviously starting with L. So local proxies, and make sure that the address is hosted on localhost. And you can change the port if you're using burp suite and stuff, like you're just using both the applications at the same time, or you're running something on localhost already. So you can change it to something like 8081, whatever you feel is comfortable for you. Okay, so that's how to change your proxies. And if you're running the ad net, you can also go check this and that you should be good there, if you don't find that the proxy is working. So just hit OK. Alright, now, you see that there is no draya We are not going to be looking at intercepting right now, but we will be looking at that in a few in probably the next videos, the advanced videos with SAP. Alright, so let me just reload the material a page. And as you can see, I'm running the proxy. So I'm just going to reload the page. And as you can see, we are not intercepting actively. So Whoa, what's this? Well, we got some files here. Let me just reload the page one more time. And there we are, we are getting some results. So we get the IP 190 2.1 68 point 1.14. That's the server and if we just click on this drop down here, we get request. So you can analyze the get request. If that's what you want, you can right click, and then analyze. All right now will we not be looking at that right now because I want to focus on finding the or discovering the hidden files. So what we'll do is we want to click on the utility folder. Now one of the great things I like about zap is it already gives you the file structure or the website structure immediately here. Alright, so again, so you have your images folder, which has it, the images there, you have JavaScript styles, and your all the resources in regards to the website that it could find naturally. Alright. So if we, if we just look at the bottom here, you can see that it it's showing you a timestamp with the method that the URL, and it gives you the the code which means the pages in this case, the 200 code means the page was found, you have the reason you have the RTT, the size, the alert, as you can see, it's telling us we have a high alert here. Now don't worry about that. Again, these are things that you know will be will really be tempting, but again, let's take it slow. Alright, so the first thing you want to do or you need to do is to right click here, and you want to go to attack and hit spider. Alright, so we want to spider the website or the web application and start scan Do not touch anything here. Just make sure it's using the appropriate server address and just hit scan. Right now it's going to spider the entire web application and it's going to give you a little progress bar here. You can pause it or stop it which is also great to see at the bottom you should have also noticed that you have your tabs here that work really really well. And as you can see the the website now is completely spidered. And if we just check all the files that we can find now you can see that we have some more JavaScript files. And essentially what's happened here is the entire site has been, has been spidered. Okay, now we already did this with burp. And the you know, you've you're probably really bored of this right now. So what we're going to do now is we need to, we need to start discovering the hidden content, right. So let me just close all of this up. There we are. Fantastic. Now, let me just open that up. And let's go to Mattel today. Oops, my bad Sorry about that, guys. And we want to right click on Mattila day, and you want to go to attack and you want to go to first browse directory and children that's very important. First browse directory will not display everything, we'll also be looking at fuzzing, but that's for later. Alright, so you want to make sure you hit forced browse directory, just click on that. And it's going to open up this tab here. So you can see we are despite the tab open, which you can close read if you're not using it, which is also great. I really like the management of zap, you then have output for your outputs alerts. As you can see, you have some alerts here that will alert you on some potential vulnerabilities. So for example, APPLICATION ERROR, disclose, you have some cookies, a noise GTP flag. So again, awesome stuff there. We have to get requests, all that good stuff, which is again focused on a different type of attack. And as you can see, by default, we've got the robots. txt here, which you can analyze if you want to, by clicking and going ahead and doing that. So you can copy the URL to the browser. So again, copy the URL to clipboard, alright, and if we just try and explore this, let me just paste and go here. As you can see, we're for some reason, we're not actually getting robots to txt. Let me use the motility date. Till today, or actually, you know what, let's not do that right now, because I really want to stay on topic here. So I'm just gonna go back into that. Again, I always love going off topic, fourth topic for some reason. Okay, so make sure you click on motility and you want to right click on it. And now Oh, sorry, we already did the first browser, right click, go to attack and first browse, directory and children. Alright, now it's going to open up this tab here. And it's going to, it's going to make you choose the site. As you can see, you have your site IP here. Now you need to select the default directory list to it's going to use this list here, this default list that comes already with zap. And now it's going to try and use it in a sort of a brute force way to try and detect the hidden files and folders. And once it gets the result, it's going to enumerate them. Okay, so now you want to right click again on it, after you've selected the list and hit attack. And you want to go to force browse directory and children. And once you hit that, it's going to start the process. Now again, this is going to take a long, while not a long time, depending on this the size of the website, if the site is huge, then again, it's gonna take a while. And as you can see, immediately we're getting some submitted files. So let's, let's wait for this call to complete. And I know motility has some very, very interesting files here that I'm sure will be happy to get. Alright, so just let it go through this. As you can see, you can check the progress as you're going here. And again, the the if you look at the status code, you can see 200 means the pages were found. So you can just go ahead and look for things that are irregular. And I'm sure we can find something here that we haven't found before. Or you can look at the at the file form the website directory here. So um, Mattila day, let's see if we can find something that is really, really interesting year. So we have the includes we have the get index of PHP, we get regressed, sorry for the index dot o we have something interesting here we have a notes folder. Aha, now we're talking now this is where stuff gets really exciting. Alright, so we have whoops, where'd it go? There we are. So in notes, we have some very interesting files in notes. So we have a get passwords. Now what happens? What's this about? Alright, so what if what what if we just open this URL in the browser? Alright, so let me just try and open that in Firefox, I just want to see what it's going to be all about. So hopefully, it's opened up in my browser. If it's not, I'll have to copy the URL, probably because I haven't set any, any default. Alright, so copy URLs to clipboard. And let me just paste that in there, paste and go. There we are Mattila day and passwords. Alright, so you can see that this folder or this file was hidden. And we have an interesting txt file here, which again is quite scary to go we did open Firefox. Well, don't doesn't look like we need that instance. So getting back to the topic here, for some reason, process unexpectedly closed with. Alright, so that looks like we have a Java error there. So let me just go back in over here. So again, we found an accounts dot txt file, what could that be? be caring. Let's click on that. Oh boy. So again, we have accounts here. And well, I'm pretty sure you will know what this means. This is just bad practice from the website developer, where he wrote notes. And essentially, these are the accounts. Now let's see what else we can find. Let's see accounts. Nothing interesting in accounts, because we now have the account. So that makes our brute force much easier. You then have, let's see if we can find any passwords if they were ever saved here. I'm pretty sure they are not. But we can also look for some interesting files here. That can be really interesting. Or you can look at the sitemap if you want to. So let's also copy that. Let's see if it gives us access to the sitemap also very, very important stuff there. Oh, yeah, so the sitemap, for some reason, we were not able to process it. Alright, let's look for some other files here. Let me just open up Mattila day again. So we have the get images. Let's see if we run the get images. Let's see what images we can get. Again, I'm going pretty amateurish on this. I'm just clicking on everything. But I'm just trying to show you the amount of files that you can find, as you can see, immediately, you can find that the refresh button, you know all the icons related to the website. You have the I hack banner. Oh, yeah, hackers for charity, man. So I'm talking about YouTube. Oh my god, what an old logo that is the older BSP logo. Pretty cool. Pretty cool. And yeah, so you get the idea. So this is how you actually go through website and find files that could contain you know, stuff that is quite interesting, to be honest. So let's see what else we can find. I'm just going to go to one more resource here that we've found, oh, we have to get register out. Now. That's what I'm talking about copy URL to clipboard. It's actually it's actually quite fun. This why bug bounty hunting is? Oh, yeah. Now this is what I'm told we can actually register. We can actually register ourselves on the website. Now again, looking at the website from here, it doesn't look like we can. Can we even register on this website? Not sure we can. For some reason, it's not actually letting me scroll to the top. But hey, I don't really know what's going on there. So let's see if we, yeah, we can definitely log in render and register. Sorry about that. We can register there. So yes, it is the register. It does exist. So that wasn't actually hidden. But it was hidden. It was hidden to the women when we spidered the website. So that means indeed, it was hidden, for obvious reasons. Because the brute force for example, if you find the login, which is again here, and again, if this is hidden, you can imagine the the damage that you can do so again, you can log in from there. Set up database, whoo. Now, that's interesting. For some reason, it's not letting me copy. Alright, so looks like we got set up database here. So yeah, we can Okay, I do not want to manually edit the request. No, I do not want to manually edit the request. For some reason my keyboard is being pressed here. While that's we admin, copy heroes to clipboard. All right, sorry about that my spacebar was being mashed on by my tablet in front of me. Right. So let me just there we are on. So no PHP MySQL errors, were resetting. So essentially reset the database, and you can see the damage that this can do. So again, that is some good stuff that you can have fun with, when especially with Mattila day, you can increase the security and find what other files you can, you can find, you know, with zap, again, zap is a fantastic alternative that you can use. If you know if you're not ready to invest in burp suite, that's totally fine. I used zap for I think about three years, especially since 2014. I think I used it in till about I think 2016 or 17. I'm not too sure. And it worked great for me, I really enjoyed it. And I'm just getting back to I'm just remembering all the tools used to work, it was actually quite a user intuitive interface. Because I just remember right clicking means you can copy the URL, you can inspect it, you can change the request, you can attack all that good stuff. And you know, it's sorted out really, really well. Alright, and you can look at the requests here, you can change them to whatever you want, and then send them you can intercept them. So it essentially does whatever but a suite does. We're going to be looking at web application firewalls, or waafs, as they're called. Now, this may be a new term for you and do not worry. This is now when we move into a more professional level. And again, this is what I've been talking about is most people out there or most documented documentation out there won't cover the most important industry standards. You know, now when I'm talking about web application firewalls, what I mean is, is these are the protection or these are the mitigation procedures. put in place to protect a web application from attacks, obviously now as a penetration tester, or if you're looking at it from a white hat, or a black hat perspective, from wider perspective, it's always important to have a web application firewall. And I'll probably make another video showing you how to set it up, it's really easy, and it's free, and it will probably removed about 20% of attacks. Okay, so that's if you're a white hat. Now, if you're a black hat, and you're targeting, or you're performing a penetration test legally on a website or web application, we usually what the employer will tell you is they'll give you a scope of the project. And again, they might give you the source code, etc, etc, you get the idea, you have your white box, testing, black box and gray box. But coming back to the firewall, most of them will know that there is a firewall. And that's because the person who set the website up for them in terms of hosting, or the web application for them, will in most cases, on a professional level, have a web application firewall. Now you might be a bit confused. And you might be saying, Well, why is this important when performing a penetration test? Well, this is important because firstly, it's something that most pen testers overlook. And if you know this, you've got an ace up your sleeve. Alright, so essentially, what's happening is if it's being used, if a web application firewall is being used, you obviously first need to detect it. And I'm going to show you how to detect it in this video using a special tool that I don't think you've ever heard of. But it's also industry standard. So this is a real secret, I don't know, for some reason, it's not just, it's something that just hasn't caught up yet. But hopefully, after this video, you'll know about it. Alright, so essentially, the purpose of a web application firewall is it protects the web application, you know, from a firewall point of view in the sense that it blocks attacks, as one would expect them to come. Now what does this mean for you? Well, this means that you will need to, you will need to manipulate any type of data that is going to be encoded, alright. So what this means is, if you're, if you're performing a penetration test that involves you manipulating data and sending it back to the web application, then you need to encode it in a specific way to bypass the firewall. Otherwise, it will be blocked by the firewall. And I'm sure most of you have actually done this before. If you're just amateur penetration testers, and you've just begun, you'll find that for some reason, your requests aren't being processed. And that's because they've, there is a firewall set up to prevent these malicious requests from being processed. Okay, so again, web application firewall is really, really important. Now, looking at the tool we'll be using, the tool has actually a very, very funny name you for some of you might find it hilarious, it is called wolf wolf. Now for those of you who have heard of it, you pretty much already know how to detect a web application firewall, but it's really very, very simple. Alright, so just open up your terminal. And what you want to do is you want to type in wolf wolf. Alright, so this is how it is going to be spelt. So it's worth Wolf with a tooth with two zeros. And the syntax is pretty simple. If I just hit enter, as you can see, we're forth a web application firewall detection tool. Alright, so credit go to the author, it's actually it's a tool that's been there since the, I think almost the last version of backtrack and the first version of Kali. So again, quite an old tool, I when I say old, I mean, you know, I mean that with respect, given the fact that it's a really, really useful and I've used it a lot because it saves you a lot of time. And what I'm talking about is, so let's say we want to scan a website, okay. In this case, I have my WordPress server running here. And as you can see, it's the site is being hosted on 190 2.1 68 point 1.11. Alright, so I have that IP opened up in my browser. And as you can see, it's a WordPress site. And this site is vulnerable. And this is what we're going to be performing later on the penetration tests on. But for now, we want to find out whether it has a firewall. Now by default, I know it doesn't have a firewall. But let's see what we're for Fidelis, alright, so the syntax is very simple. As you can see, you just type in wolf Wolf, and you enter your URL or your URL, so you can enter as many as you like. Okay, so I'll give you an example of how to go about it, make sure you enter your HTTP or HTTPS protocol. And we just, let's try that out. So Wolf, Wolf, and we specify our protocol HTTP in this case, and the IP address 190 2.1 68 point 1.11. All right, now in this case, I'm pretty sure that it won't detect any web application firewall. So let me just hit Enter. And as you can see, no web application firewall detected by the generic detection. Alright, now this is very, very advanced. And this tool is an industry standard. And if it does tell you that there is no web application firewall, then by all means, I can guarantee that it will it does not have a firewall. Now let's look at one of my sites that I currently own. It's a site that I use. It's actually My web development company that obviously we use for web development now I've predicted this site with a web application firewall provided by CloudFlare. Now, for those of you who are web developers, and when you're performing your hosting, you know that using CloudFlare is awesome because it allows you to optimize your site for speed. It allows you to purchase assets and make your site faster, protected, and again, protected from DDoS attacks, etc, etc, all the good stuff. So let's see if it will actually detect this. So I'm going to type in wolf wolf. I know that name is really, really funny. The protocol is HTTPS, https like so and I'm going to specify the site which is Elgon studios.com. Alright, Elgon studios.com. And if I enter, as you can see, it's going to start checking the site, give it a few seconds, it shouldn't take any much. You know, a lot of time, and as you can see the site, Elgon studios.com is behind CloudFlare. Right now, what this means is that most of the most of the attacks that involve manipulation of data will be in some way blocked. And you know, you won't get your response back the way you wanted it. And the render wouldn't be the same. Right now. Again, as you can see, it detected that it is behind a web application firewall. Now the next step is how to encode these, how to encode encode your your requests that you're going to be sending to the web application. And that's what we'll be looking at as we increase the security level, using the the dam vulnerable web application. Alright, so I thought, this is something that I really need to share with you, again, it's going to really help you. And I promise you, this is something that, you know, if you go for a job interview, or you're performing a penetration test for a company, this is something that most of the network or systems administrators are very keen on, they want to know whether you really know your stuff, and whether you're really up to date with how to detect, first of all, because information gathering is really important. And as you can see, this tool is fantastic. And once you know there's a firewall, you then have a better idea of how to target and you won't be wasting time. Again, that's something that most of the amateurs or beginners do. They waste a lot of time trying different commands that they've seen, but they find the date and they see that it doesn't work. And they're like, how is this possible? Am I doing something wrong? The truth is, the web application is probably well protected. So again, you know, do not use this for any malicious purposes. Again, this is simply an information gathering tool. I'm going to be showing you how to use der Buster to discover directories and files on a website or a web application. You might be asking yourself, what is der Buster? Or if you haven't heard of der buster, let me explain it to you. Alright, so the airburst is essentially a tool that was developed by OS, the open web application security project, and essentially uses a brute forcing to find commonly used directories and file names on servers. Alright, so this tool is extremely useful for those of you who are doing CTF, for those of you who are bug bounty hunters, because essentially, it allows you to understand the structure of a web web application or a website in terms of the files and directories and how they're structured. Alright, so why is this important? Well, this is important because this will help us understand how we can attack a site or what type of attack vectors we can, we can we can find, you know, so for example, if I the web application, and I'm going to demonstrate that right now, and I scanned it with the bust, and we found some hidden directories and hidden files, we can use these as attack vectors. Alright, so as I said, it also allows you to find hidden directories or files that are hidden from the public. So this can also lead you to, to finding additional resources that could have been hidden away by the devs that like for example, admin pages, etc, etc. Alright, so how does it work? Well, really simply, once you start up there, Buster, and again, as I mentioned, it uses brute forcing so I'll explain where wordless come into play. So you open it up and you select the URL of the web application or the website and you specify the port The port is is the is definitely going to be HTTP sewed a the a port 80 or Port 443. And then you select the word list now, in this case, Cali annex already has a dub dub Buster word list that that are designed, it has three of them that are designed for different types of scenarios. And I'll explain them as we move along. All right, and essentially how it works is once you start the brute force attack, it will send HTTP GET requests, and it will wait for the response from the server or the web, the web application. If it gets a 200 response. That means that yes, that directory exists. Alright, if it gets if it gets a bad response, meaning like 400 or four or three, meaning no access, then it'll it will it will know that that directory of file doesn't exist. So it's essentially testing directories on the server against This, this word list. So it will check, for example, is there a temp folder, if it sends a temp request to the server, it gets a response, a positive response, then it knows it's there, and then it will enumerate them. Alright, so let's start off really, really simply. So I'm on Cali the next, I have the OS, broken web application, right here. And I'm going to be demonstrating two scenarios. So you can see I'm running that here. And that has a lot of vulnerable web applications. But the whole idea is to demonstrate how directories can be found. Alright, and why this is extremely important, especially for a web application penetration tester. Alright, so I'm gonna pull up Firefox. And as you can see, you have the open web application project right here, the OS B web, as they call it, and it has plenty of ways of me testing this. But what if I was to just test the entire server? Alright, so this is a web server. What if I was to test the entire web so well, I'm guessing that there going to be a lot of files and directories. So what we can do is, we can start off with a perfect example of how this will work is let's say you're targeting a WordPress site. So I'm going to open up the broken WordPress. Now, of course, this is an very old one, and we're not really exploiting anything. But by using this example, it will let us understand how we can enumerate the different directories and folders, you know, on this WordPress installation, or if you are target targeting a WordPress site, this is the way you do it. So I'm going to copy the URL with the with the directory right here. So it we know it's in the WordPress folder, because that is the root directory of the of the web server and we're selecting the WordPress installation. But for the website, you will select the URL. Alright. And that's for the port, we know that this is the default HTTP port, which means it's Port 80. Alright, so I have doorbuster. Right here, if you can't find it, just you can use the start menu and type in der buster, it's going to be like so just this click on it, and give it a few seconds to start up. So again, it was designed by the OS team. So it works really, really well. And again, this is something that I'm sure if you if you are a web application penetration tester, or you do do the CTF challenges, then you will, you'll know that use this tool a lot. Alright, so we in here, we have the target URL, and that will we will paste it Alright, so we can paste it right here. So Ctrl V, and that is the URL. Now in the work method, if you want to, if you want the scan to be faster, you can use the GET requests, but what we can do is auto switch them from the head and get and that will give us a more robust or a more accurate response rate. Alright, so in terms of the number of days, this is how fast you want, you want the scan or the brute force to be, so the faster the better depending on your hardware. And of course, you don't want to overload the server, so I'm just going to go hit click on Go faster, that's probably works the best for me. But if you wanted to run faster, then that means it's gonna, it's gonna have multiple requests and threads being sent from your computer. Alright, so I like keeping it at just 200 threads, which is go faster. And because I'm testing my own web server, I can, you know, I can pretty much increase it to whatever I want. So usually, if you're talking about a bigger server or a bigger web application, then it doesn't really matter how many requests or many threads you use, it will not really affect the performance of the web server. But if I was to run it at maybe a maximum speed, you'd see that the web server would be lagging out, you know, out of the amount of requests that are being sent. Because you know, you have to understand it from a fundamental point of view, we are requesting different web pages, and the server has to process them. So if the if the if the server is not running on on, you know, good resources, like it's running on one gigabyte of RAM, it's very easy to make it lag out, and to actually cause some sort of a denial of service just because of the amount of requests. But in this case, we are performing it you know, with with an ethical perspective. So now, you want to select a list based brute force or you can use a pure brute force. But I don't recommend that that doesn't really work. And you now need to select your word list your doorbuster word list. Now by default on Kali Linux and on paradise, these are found in the user share folder on the under word list. And you can find the doorbuster word list right there. So I'm going to show you that right now. So I'm going to browse, I'm going to go to my root and I'm going to go into user and I'm going to go into share. And let's go into Word Lists here. Let's see if I can find it. It's obviously with a W. Where it Where is it? Let's see. Let's see. Let's see where is wordless story if I can see this. Yeah, there we are. Sorry about that. wordlist and you now want to go into der buster. Alright, so there is going to be a folder called der buster. And now you might be a little bit confused. Well, really, you don't need to need me to be confused. That's why I'm here. So as a beginner you might be wondering like which one is better. Now as an advanced penetration test, I know which one is the best in Most cases, it's going to be the medium the directory list 2.3 medium dot txt. Now, if you're scanning a very small web application that that's not that really complex, like a simple HTML site, you know, HTML, CSS, whatever you want to call it, then I would recommend the smaller one. But if you're scanning a big site, like a WordPress installation, or a Joomla installation, then you should use the medium one, this will work 99% of the time unless your your, your requests are being blocked by either a web application firewall or by the, the host. So I'm just going to select list. Alright. And now in terms of these other options, you can see it's, it's going to essentially brute force brute force the directories, the files, it's going to be recursive, which is great. And the directory, you must specify the directory if it is if you are trying to perform a scan that is directory sensitive. Alright, and standard start point, just leave it like that. And you now want to hit start. Alright, so once you start is going to start brute forcing the web server against, it's going to start sending the request. And if it gets the responses, the positive responses is going to, it's going to understand that yes, that directory does exist. Now you can see we have a response that is being sent here. And it's going to tell tell you that it is unable to determine a consistent failed response, which means some directories and files are being you're getting a negative or you're getting a no access response, meaning that that directory doesn't exist. So what you can do is just hit Cancel to these ones in it Yes. And it's going to continue scanning the other ones. Now of course down here you can see since it's performing a brute force, you can look at the current speed, which varies dependent on the amount of directories, the average speed, and it will tell you the total amount of requests done out of the amount that could be done depending on on the word list that you have selected. And finally, you have the time to finish. Now, of course, this will vary depending on a lot of factors. But mostly it depends on the speed of the scan that you've selected, and the and the word list. So you have your scan information here, it's going to tell you what folders and files it's testing. And in here, you can see the results in terms of directories and files that it was able to find. And in the results, this is going to give you the directory structure as to how files and folders are being structured on the web application. Now by default, right now, you can see the amount of the files and folders that it has found are, for example, the WordPress register dot php. So if we open that, if you right click on it, you can open it in the URL, or you can view the response that it gave. And you can copy it, you understand you get the basic functionality here. And then you can open it in your browser. So again, you see that we are finding files that we otherwise wouldn't have known existed. Now, of course, for a default WordPress installation, you would have guessed that this does exist. But remember, most people are for volken, for most other installations on configured figurations, this can be a great way of finding files and folders that you didn't know existed. And again, discovering them is very, very important. And this can give you different attack vectors. So for example, if I went to the admin dot php, and it forced me to log in, that might be a good place to start brute forcing, if I had credentials, if not, you can choose Select another attack vector. So let me just move back here you can see we have the register page here, which we just clicked on. Let's look at the WordPress login dot php. So I'm gonna open that up in the browser. Now you can see the server is not responding. And that's another point that I wanted to point out. If you want to be as you know, right now we are being as promiscuous as possible. Because we it's not really a web application that is delivering service to other people. But because it's hosted on my local area network. So in this case, you can do a performing a type of denial of service. And that's because the server is located very, very minimal resources to this virtual machine. So that's why it's kind of lagging out. Alright, so that's something to take into consideration. Now if I was to, to pause the attack, like so if I was to just pause it, remember, you can pause it, and you can stop it. And let me just go back here. And let's see if we can reload these pages, they should be able to, to be reloaded quick enough. Let me let me just load that up. And we can close this one. Let's see if the WordPress register page does open up. If this virtual, yeah, there we are. So you can see even though this is a very old WordPress installation, that we were causing it to lag out. So always keep that in mind that the amount of threads that you say can affect the performance of the website of or of the web application and you don't want to cause any any impact to customers if you're performing the test on a real world working web application or website. Alright, just something you might want to take into consideration. So we're going to resume it and of course I'm not going to expect to find anything we add here. Although this WordPress installation is designed to be vulnerable. So you can also change the number of threads running right here. So if I wanted to run, you know, maybe on 10 threads, which is quite slow, that means you will get, the enumeration process will take longer. So it's all about balancing your resources and understanding what you're trying to look for. And of course, this can be a very, very useful tool. When doing bug bounties, or, or CTF for that matter, especially hack the box, we are going to be looking at something that is extremely important and something that should be understood completely, and that is cross site scripting. Alright, now before we get started, I'm just going to explain what we're going to be looking at explain what we're going to be looking at in this video, we're going to start off with explaining what cross site scripting is, I'm going to be showing you the environment that we'll be using for testing any of these, any of these attacks just because they allow us to illustrate or they allow me to explain how everything works, because that's the most important thing for me is that you understand what you're you're listening to, and you have a good representation of what's going on. Alright, so I'll be explaining stored. I'll be explaining the reflected stored and Dom cross site scripting. Alright, so let's get started with me explaining what environment I'm currently running. So you can see that I'm running Kali Linux right now. But I am going to be using the OS broken web applications project. So I'll have this in the description section, it is essentially a virtual machine, that you can easily just run on VirtualBox or VMware. I'm currently running it here. As you can see, I just got the local IP, it's 190 2.1 68 point 1.111. All right, so I have that running. And I'm running this on Kali Linux, and I already have opened up the URL in my browser. So you can see from here, I've opened up v whap. And I've opened up webgoat, because that's what I'm going to be using to explain each of these cross site scripting attacks. So if I was to do that false to just open up 190 2.1 68 point 1.11, yours could be different, it should be different. Depending on your IP configuration, and subnet, then it'll take you to the OS, b, w A, or the OS broken web applications project. The latest version, as of recording this video is version 1.2. So we will be using webgoat and B web, or the broken web application project for for this demonstration. So the default credentials for webgoat are going to be guest for the username and guest for the password. And for B whap. It should give you the prompt right over there. I think it's going to be bug app or something like that. But irregardless, it will tell you what it is. All right. So make sure you open that up, and you have that all set up. So I've logged in to be web and I have a web goat started up right here. Alright, so let me close that up. And we are ready to go. Now before we even move on into performing these attacks, it's very important to understand what's going on here with with cross site scripting, what it is how it works. And what are you exactly taking advantage of right now, this is where a lot of people make mistakes. And if you want to be a successful web application penetration tester, you need to understand, you know, from a fundamental level, what's going on here. Alright, so let's get started. What is cross site scripting? Well, simply put it is the process of injecting a script into a into the parameter in a URL to attack a user of the site or to potentially attack the server side of the website or the web application, right? So essentially, is the inject the injection of a script into the parameter of a URL. All right, that's essentially what it is. Now, of course, this may be quite confusing, but don't worry, I'll explain what's going on here. So let's start off with with, first of all explaining the three types of cross site scripting. All right, the first one is reflected and then we have stored and Dom. So with reflected what's happening here is the data is inputted and then, you know, reflected directly back back on the screen. So I'll explain this in a second. Alright, so if we are to look at this from a fundamental perspective, I'll show you how to access this, you know how to navigate the view up. Just give me a second, let me explain what's going on. So essentially, what's happening with reflected cross site scripting is that the input is going to be stored in the parameter of the URL. All right, and I'll explain how this differs with each type of attack. Because many of you will point out and say, well, it's not only to do with parameters, and don't worry, I'll explain all of this. Alright, so we can essentially manipulate the the parameter of the URL, so that we can essentially run a script. Now what type of script we can run a malicious script that is based on in JavaScript, and I'll explain that right now. So you can see with our portal, you don't want to touch anything here, you can set the security level. But for now, I recommend setting it to lope. Not that that's going to hurt anyone's ego. Because remember, you have to be humbled to begin, and you need to understand what's going on first. So we will open up the Jews, the bugs section here, and we want to go down into cross site scripting. And we want to go into reflected which essentially deals with the get the get request. So we're going to start off with that. And this will really make you understand what's going on here. So if I click on that, and I just hit hack. Alright, so now it's going to give us a prompt here. And you might be asking, Well, what what do you mean, what exactly is going on, if I was to not enter any details into the, you know, into these fields, right here. So for example, you can see I just had a suggestion there, that's because I was testing it out. But if I was to hit go, you can see that in the URL, we do have the input here. So you can see the values can be edited directly into the form. So you can see first name has no value. And then we have the last name, which again has no value, and you can see that it is submitting a form. So what we can do is run some JavaScript code in here. And the most common way of explaining what's going on here, of course, not running a very malicious code right now, it's essentially explaining and demonstrating that it does work is I can run a piece of code here. Now, of course, when you put this into a practical perspective, many sites are going to filter the content that you can enter in these fields, all these forms, and will essentially will not allow you to run JavaScript code and you know, obviously, to protect, protect the site from these type of attacks. But what you can do is encapsulated to encode it in a different type of language. Or, as I said, I'll show y'all everything, or how all of this works. So this right, right now, being the current security level, as low, we are a lot a lot essentially encode, it will not verify or validate what we're entering in here what input is being given. So if we were to type in a script here, so we can say script, and you can see the recommendation there script, that's mine. So if I was to type in alert, and this is JavaScript, so I'm pretty, I'm pretty sure you can you know what's going on. So we can say, Hello world. This is an example of reflected accesses, or cross site scripting, and we can close that operate now. And then we need to close the script. So we can do that in the next field or the next parameter. Most people like doing it from the start. But this is just to show you how robust this can be. So I type in I close the script and hit go. And as you can see, it gives us the alert, which is what we and we which is what we used as a form of, of me showing you that it does work and it will be processed, the input will be processed and will be sent back to you, you being the client. And we can just hit OK. And that was an example of reflected excess cross cross site scripting, using the get method. Now of course we can, I can replicate this many, many times using the other types of cross site scripting, for example, with the post, etc, etc. We'll be looking at all of that. But for now we need to understand what's going on here. Now next, we need to look at stored cross site scripting, this is probably my favorite because of the potential that it does have. Alright, so let's go into the juicy bug menu here. And we want to go into cross site scripting, and we want to go we want to go for the blog, cross site scripting stored cross site scripting, and we're gonna select blog, and I'll explain why in a second. Alright, so first, let me explain what stored cross site scripting is. So essentially, with this with the cross site scripting attacks, more specifically, these stored attacks, essentially, what's happening is you're attacking the input. And you're essentially attacking the input that is to be stored or you're attacking the data, or, essentially, I'll explain this really simply, so you're attacking the input that is to be stored on a database. So what you're doing is you're essentially injecting malicious code that will be saved into a database, or that is going to be saved by the server, or the web application server. And then you can definitely you since it's being stored, you can access it later on or other users can access it. And for example, if it's running malicious code, it can trigger different things like opening the webcam of a user stealing different type of information. I'm not going to go into what you can do with it, but you can really do a lot of stuff, a lot of malicious stuff with code. Alright, so let me explain what's going on here. So with this stored, cross site scripting, you can essentially inject malicious code into the database again, that then that when accessed runs this malicious code. Alright, so if you can see this is an example of a blog. Let me explain what I mean the best places to implement stored cross site scripting is in places like means, you know forums. And again, as you can see write your blog in the form of comments that you know, or pages that can be accessed later, or data that is being stored in directly into the database, any database for that matter as long as it's being stored, okay, so we can type in something like hello. And we can submit that to the database. And you can see it's getting stored. And you have the different tables, you have the the number, the owner, the date and the entry. So now we can also run a script in here. Alright, so what if we were to enter Java scripts, and again, this data, given our security level is any of the data that we're entering is not being validated. So you can essentially enter it raw. Now in reality, if you go and try and enter a script in the native will not be accepted, because, again, they're protecting their site against that. That's one way of mitigation, very basic, I'm sure you know what I'm talking about. Alright, so enough of me rambling on. So if we are doing enter the same script we entered, we are to say script. And we then say, alert, for example, we can you can use any type of JavaScript code you want here, and you can experiment, you know, you these web applications are there for you to experiment and test your skills out. So first to say, Hello world. This is stored out stored cross site scripting, and we just close that up there. And of course, we have to close the script, because we know that that will not execute if we do not code it correctly. Okay, so now we can we can add that. And if I was to just hit submit, right, now, you can see that it's going to store and with that being the latest blog post, you can see it's going to tell you, it's going to execute the script. And it's going to say hello world. This is stored cross site scripting. So an example of a blog, if you're to post this on a page or a, you know, to make a blog post and inject this script in, anyone opens that page will essentially run that malicious code. And whatever that code does, can then furthermore, you know, cause damage to the user or to the server depending on what you want it to do. So it's all dependent on what the attacker is to do. Remember what I told you in the first video of this series, it's all about your mindset, and your your your willingness to break things and to find out what does and doesn't work. Okay, so that was an example of stored cross site scripting. And as I've mentioned, the most important thing to understand is this in this scenario, the data is not being validated if it is being validated. And I'll show you that in a second. Or probably in the next set of videos, we'll increase the security level, and I'll show you how to get you know past this, you can see how things change as you move along in terms of security levels. So I was going to use the V whap. This my first time using it. So I had to get a bit of an introduction through the documentation. And I realize they don't have dumb cross site scripting. So I that's why I had to use webgoat. They're the only ones I know who actually allow us to run it. So as zoomed in right now, by the way, the credentials are guests for the username and guest for the password. So essentially, I went through cross site scripting, and again, they didn't have the DOM in here, all they were focusing on is stored and again, reflected. So I found it to be in the eye x or Ajax or whatever you want to call it. And we have the the DOM based cross site scripting, let me explain why it's in. This is based in Ajax security. This is because Dom cross site scripting focuses on the client side. So any data or input that is entered, whether it be a malicious code, etc, etc, is going to be processed by the client, not the server. So any of the attacks will be based, of course, on the client. Now, let me explain what I mean. If I am to run remember, JavaScript, server side, client side i x, for example. So if I am to run, for example, a JavaScript code in this entry here, so script, and again, I type in alert, just being the example and I say, Hello, let's keep that simple. And I close the script here, you can see that we will probably not be left with anything will not get any result. That's because it's being processed by the client, not by the server. So no, no result or no data will be reflected back to us. If it was, you know, if it was reflected cross site, scripting it, the server processes it, and then is reflected back to the client. So if I was to submit here, you can see that nothing happens here. And that it is going to be taken as code. Now what if we were to enter or use a language that that a client can understand? So let's say we want to say, let's see, HTML, whatever to use HTML, so I can say in here, IMG, for example, that's a very This is the way we learned it. So IMG See, and we don't have an image source. So we can leave that like that. And then we can use the on error, in case we get an error of image which we will get because the image has no source on error, we can say that is going to be, that is going to be equal to alert. And then the alert we can input in here, we can say, Hello, whoops, hello world. And we can close that up. And once we have closed it, you can see that we can, we can close that there. And there you are. So it is great to be processed by the client, and you get the dialog box or the alert with the message Hello world. So you can see that with Dom based cross site scripting, it is all being processed all the input, whether it be malicious or not, is being processed by the client. And Ei x is one of the largest languages that can be used. So you can also incorporate a x if you wanted to test it out. Remember, it's all about experimentation and understanding, I hope that you're you've got an understanding of what cross site scripting is, how it can be used to manipulate data, whether it be on the client side on the database, and how you can easily just transfer data with you know, bad security in place. Of course, this is the these attacks will be a very uncommon now. But again, this was focused on more on an explanation point of view. We're going to be looking at cross site request forgery, or CSRF. Now, this is an extremely important topic and a big one that I cover it correctly. So for the purpose of this video, I've set up a very unique environment that in at least in my opinion, will demonstrate how to utilize or how to perform this attack. Alright, now I'm just going to give you a brief overview of the environment that I have no, of course, you can see I have a few files open here. Don't worry about them right now, just just remember that we'll be using them later on. And I'll be using them really, really well to explain what's going on here. So you can see as my target or as my vulnerable system I'm going to be using on my vulnerable web application, I should say, I'm going to be using the OWASP juice shop now. Not actually no one actually recommended this to me. But I remember that I performed this during a CTF challenge that I went to earlier, I think late last year. I'm not too sure exactly when but the whole process was involved in exploiting this web application. Alright, and in my opinion, this really outlined or really showed of how to perform all of these various web application attacks. In this case, we're going to be focusing on cross site request forgery. Alright, so I have the juice shop running it's, it's based on a node.js. And it's running on my local host. Let me just show you that right now. There we are. So I haven't logged in or done anything yet. And that's because I'm going to do that with you. So I've set it up, it's running on my local host. Let's get started with this really, really simple but sometimes complicated topic. Alright, so cross site request forgery CSRF. Now from the name, you can already tell that it's split into two into two sections, you have your cross site, and your request forgery. So from that, we can get a basic example of what's going on here. We have cross site scripting, and we are going to be forging requests or we are going to be manipulating requests. Hmm, interesting. So we are we are kind of understanding what's going on here. Now the technical explanation for what CSRF is, is it is an attack that forces an end user to executed unwanted actions on a web application in which they're currently authenticated. Alright, so let me put that really, really simply, right, it's an attack that will force an end user to execute unwanted actions on the web, on a web application, these actions can be anything, but in this case, we're going to be looking at changing the password. And they have to be currently authenticated to that web application, which means they have to be logged in to that web application for this to work. Because if they're logged out, then you get the idea. It really doesn't help or it doesn't work. Alright, so we use cross site scripting, in this case to perform the request forgery, and to get either desired or undesired results. In our case, we're going to be looking at how to to change the password of any user that's logged in to the to this web application. And how will we How will we be doing that? Well, we are going to be using CSRF. But the first thing you need to understand is how an HTML form works. Alright, and this is very important because first of all, a client will request a page from a server. Alright, the server will then respond and give the the client the HTML form. The client will then send back the form with the data back to the server server will then authenticate and authorize the user and then will will perform the requested action. And based on the request and the response, we are able to forge or to change the request and get a desired response if you're looking at it from an attackers perspective. Alright, so, the the way CRS CS CSRF works sorry about that is the attacker will manipulate the victim into submitting the attackers form data to the victims web server, essentially, essentially performing these these requests in the in our case, as I've mentioned, it will allow us to change the password of any user on this web application, in this case, the OWASP juice shop web application. Alright, so now you might be asking, Well, if I'm a bug bounty hunter, I'm practicing to become a bug bounty hunter. How do I go about finding this vulnerability? Well, that's a very good question. And that is the question you should be asking yourself when performing any penetration test. Now, coming back to my environment, I'm running burp suite, the Community Edition, you you will just need the Community Edition for this one, we're not performing any advanced techniques here, because we're essentially just changing, we're just going to be changing the request to get our desired responses. But once we move on to the advanced stuff, I'll then be using OS zap for our attacks. Alright, so keeping things really, really simple, we, the way to look for these vulnerabilities is to target the login pages, which we have right here, we then need to, we can then create the account and log in. And then finally, we will be creating our own our own script to perform the cross site scripting. And that will allow us to submit the data or if we send the URL to another user of this web application who is currently authenticated, it will allow the it will allow us to make them change their password, and then we can log into their account. Alright, so this vulnerability is very common on sites with accounts, you know, sites that have emails of passwords. And as you probably would have guessed, there are a lot of sites that utilize this functionality. But remember, most of the sites out there will be protected from this vulnerability. So it's up to you to find these vulnerabilities. Alright, so as I've mentioned, we will be using OWASP juice shop as our target. And the reason is, is because it will explain what I want to explain really, really well. Alright, and we'll be using the burp suite Community Edition. Now, as you can see, I'm currently running the burp proxy, I'm not intercepting any traffic, if I open up burp suite, I'm not intercepting any traffic. If I go to the proxy, and intercept, I'm not intercepting anything. So it's currently just I'm just going through the burp proxy and all the traffic and data is being logged through the proxy. So when it comes down to this little data that I've saved here, I've already created an account. The reason I've done that is to save time, because I don't want to explain everything about it. So I've created, I've created a user with the email of test@test.com and a password of password. So really simple. Again, there's nothing really complicated here. And if you want if you're wondering what exactly does this mean? Well, this is a security question with the answer. So the question was, what's my favorite pet, and I wrote in dog. So hopefully, that doesn't scare you into thinking that I've gone completely crazy. And then in here we have the scripts that we'll be using, or will be utilizing to perform the CSRF are on the site, I'll get to this in a second. We don't need that right now. So if I want to log in, I know that the email is test@test.com. And the password is password. Alright, so let me do that right now we need to authenticate. So let me log in, like so. And I'm going to hit test@test.com. Alright, and I'm going to write the password, which is password, and I'm going to log in. Alright, and I'm don't want to save the password. And there you also have logged in now. Now as I said, this is very this vulnerability works really, really well when you're talking about changing passwords, because as you can probably guess, an attacker would would be looking to exploit this functionality because imagine, if we were able to send a request a get request to our target with the URL encoded URL. Of course, we can also use link shorteners, if we wanted to, to do that. And essentially, if they authenticated, it will allow us to make them change their password simply by clicking on the link, changing their password to whatever we specify. Alright, so how do we do this? Well, the first thing we need to do is we need to look at how we get requests are being sent. And we can do that using burp. So we're just going to change our password. So current password is password. And what I'm going to do is I'm going to change my password into password. Oops, sorry, pass word 123. And I'm going to repeat it so fast word 123. And I'm going to hit Alright, so the password was successfully changed. Okay, now let's look at how this was processed in burp, or how the request was sent in burp. So I'm going to go into burp proxy and HTTP history. And I'm going to go all the way to the bottom. And as you can see, we have the get request right over here. Okay, so the get request is very interesting. You can see we have the get request, and it's targeting the the following URL. And these are the parameters. So change password, the current password is password, new password 123. And we've repeated it. Alright. So now let us perform the forgery here. So I'm going to send this in to the repeater. Alright, so I'm going to click on repeater. And in here, we can manipulate the request and see what responses we get. All right, in case you, you did not know about that. But again, let's start off really, really simply. So we are going to be working with the raw request. We don't want to work with individual parameters, although you could change it, but we are going to be manipulating the request entirely so that it performs what we want to do. Alright, so what we can do first is we can test so let's change what if we were to change the current password to something like, let's see test, let's change it to test and then we hit go, you can see that the response we get is a is a 401 error, which means we are an authorized to make that and it will give you the message right here. The current password is not correct. All right, that's good. That is good from a web application perspective, which means that this web application is performing validation. And it's not going to allow us to know to just go in and start manipulating any requests and making changes. So from a security perspective, the web application is doing really, really well. Alright, what if I was to change the new password? Let me change this back to password to the current password, which is what we said and change the new password to password pass 123. All right, and I hit go. Again, we get another error. Again, the 401 unauthorized error telling us that the new and repeated password do not match. So yes, the current password is correct. And the only thing that we're getting an error is the new password and the repeated password are not correct. So interesting. What if we want to change the password into password 123. And we can repeat that again. So we want to confirm this. So password 123 actually hold on. So I'm going to say password 123. And now let's see what this tells us. This should verify it. But let's see if this works. So you can see yes, that does work. And we know that this works, because that's what we did that was the original request. But what if we do not know the current password of the user? Remember, we're going to be targeting other users of this web application. So what if we get rid of and this is very, very, this is the way penetration testers go about it. What if we get rid of stuff? So what if we get rid of the current password? Alright, and now essentially, they get his targeting Change Password with the question mark here, essentially requesting and we're only entering the fields or parameters new. And repeat what if we do that and we change them to password 123 I mean, pass 123 and pass 123. Let go. You can see yes, it does work, we get the 200, the 200 response, which means everything was processed correctly. And we were able to get a password that looks to be hash, that looks to be hashed. And we got the email that we used. So yes, we do know that it is working. Alright, so we know that we know that this worked. But we need to confirm that this has worked. So we can do this by going back into our web application. And we can log out and we can try and log in again. So log in with our new password. So we're gonna say test@test.com, and our new password was passed 123. Remember, we changed it earlier. But again, I was demonstrating that we if we are to send this to our target, we need to specify to make sure that it will work without any pre required information like their current password. So I've manipulated the request there. So let's hit log in. And voila, you can see it does work. Excellent. All right. So this is a fantastic example of so also CSRF can be utilized or how it can be how you can find vulnerabilities for it. Alright, so this can allow us to change or update anyone's password. anyone's accounts password that are currently logged into this web application. Alright, so now what we what we need to do well, we can we can log in. As we've already seen, we can log in and once you've logged in, we can we can test to see if cross site scripting does work. And then of course utilizing it throughout the web application is very important. So We can run a simple cross site script attack to see if it will work on the search bar right here. So I'm going to type in script. And a simple one. So alert, just to test whether it works. And in the alert, we can say, Hello, just something stupid hello world, you know, that's an I can't even type man Come on world. And we've typed in the alert. And we can finally close the script here. Script like so. And let's hit search. And voila, we can see that indeed, cross site scripting work works, which means we can insert, we can insert our GET request inside a script and use a cross site scripting to perform the CSRF. And now you can see them conjoining together, cross site scripting with request forgery. Okay, so we now need to create our custom script that will allow us to utilize the attack. And we will be using XML and HTTP. Now, you might have seen this script right over here, let me just minimize this and open up leafpad, you might have seen this script that I created. Now you can find many of these CSRS scripts are online that utilize different languages. In my case, I find the one that works the best is the is the one that works with x XML and HTTP and contains the get request in here. Okay, now, you can see that the get request requires the URL in which we submit the the parameters without the current password. So we need to go back into burp. And it needs to go back into proxy HTTP. Sorry about that HTTP, we look to change the password. So if we go back into, sorry, the repeater. And if we look at this now, we can see that the URL is right over here. So that's the get request. So if we copy this localhost, obviously, and we are not using any current password field, so if we can do that, really, really simply, you can see how this can be utilized really, really well. So what we need to do now is understand how the URL will be format. And of course, the web application is going to encode it, and I'll get to that in a second. So we need to copy this URL right here. So I'm just going to copy the URL. And we can edit our our script. So HTTPS, and we paste it in inside the URL, you can copy this script if you want to. Let's take a look at whether this script is formatted correctly. So get HTTP new, that's not the way we want it. Let me get rid of the pre pre determined HTTP there. So HTTP localhost, it's hosted on my localhost with the Port 3000 node, an OJS standard. And the we want to change the password, the new password is past 123 and repeat his past 123, you can change that to whatever you want, if you want to, you know, play around with the script. But in my case, I don't want to do any of that. So this is the script. So what we can do is we can copy this now. And we can run this in the search bar. And that should, in theory, and in practice, give us our first CSRF attack on the site. So I'm going to paste this in here. And let's see whether it does this. So I'm gonna hit search. And you can see you successfully solved the challenge error handling provoked an error that is not very gracefully handle. Again, this is a fantastic web application vulnerable web application that is awesome for practicing your your web application penetration testing skills. Now, I talked about the URL that you should send to your target. And that is the URL that will essentially make them change their password or without them knowing, given that they are logged in to the web application or they have an account, it will not work if they have not logged in. Alright, so that's very important to understand. And many people just you know, forget about this. Now. Again, if you could have done this, you I can log out again, and I can log in try and log in now. And I can type in for example test I just want to show you something very interesting here test. And I can change the password, we already changed it to password 123. Now before I do that, I can just inspect the element here. And I'm going to hit login. And I just wanted you to check something out. All right now, let me just expand this a little bit here. If we were to look at the network, this will essentially shows all the GET requests. So if I was to hit login, you can see that if we are to look at the get request here the login GET request, you can go ahead and look at at the exact format in which it was sent. You can look at the cookie the it should give you the the authentication token not to show it should give you the authentic the authentication token. But that's something for another day. Don't want to complicate you guys, you can look at the cookie if you want to. And you have all the responses right here. So there we are. There's the authentication token and you can see something very interesting in regards to the token. Alright, so let me show you this right now. Alright, so as I was saying, you can see. Alright, so as I was saying, you can see that if we look at the parameters, the password will be displayed there, and it will be updated to the one that we selected or specified in the script. Alright, so remember, if you want to customize the cross site scripting attack, you can do it through your script. And where is lifted here. So there we are. So you can change the password. The as you see, we just got rid of the current password parameter, which is a vulnerability on the site, but you can change the password to whatever you want. And now you might be asking, as I've mentioned, what link do you send to the target and that is very, very simple. If I was to run the script again, and I change the password to maybe something else like password 124, or 345, sorry, 345. Let me just add that to the password. And I run the script on an authenticated user, which is me. So let me copy that. And it should change my account password. And you can see once I log in, log out and try logging in, it will have changed it successfully. So let me just run it in here. So I'm going to paste the new one in here. And I'm going to search and there we are. So now it's changed my password. And if I log out, and I try and log in with with the old password, which is password 123, you can see whoops, sorry, I think I typed that in wrongly 123 like so, fight login, there we are, you can see that we entered the new password, and it did work fantastic. So we were successfully able to execute the script. And again, when if I just run the script, again, this is the URL that you will send to your target. Alright, so if I just copy it, and I inspect it in my leafpad here, I really love leafpad. I don't know that you guys love it, too. If I just inspect it, you can see that this indeed is a URL. And if the web application was being hosted on a server, outside my local area network, it would give you the website name, the port, if it is port specific, and the URL here, which as you can see is encoded. So what I would recommend is that you copy this link here, and you use a link shortener like bit fly or any of the other Google shorteners, and you send that to your target. And once they click on the link, and if they already logged in to this specific web application, it will update their password. And you can essentially, you have the password now because you've updated it. And you're all you need is the email, which I'm pretty sure you must be knowing if you're performing this attack. Or you could just be gathering passwords of users, all of which you can, you can send this link to and are authenticated with the web application. We're going to be taking a look at session management. And in this video, particularly, we'll be looking at cookie collection. Alright, so as you know, you probably would have known what a cookie is. Now there are three types of cookies that we really need to be focusing on in this section. And we will be focusing on in general. The first one is the session cookies, which I'll discuss in a while we then have the permanent cookies and the third party cookies. So third party cookies are really all to do with third party API's that may be used. So for example, if you're on a website that utilizes flashplayer, you may find some cookies, that that are in relate that are related to the Flash Player. So it's very important that you understand how to collect these cookies. And as well, we'll be looking at reverse engineering them, but not really tampering with them. Because I first want to explain to you guys how everything is done. And then we can move on into into finally tampering with them and seeing if we can change them to give us access to give us different type of of access. And where this comes into play is when you're talking about session cookies. And in this session cookies, we have the the auth, the authentication token, and the D and the unauthenticated token. So all to do with your access on a web application or on a website. Okay, so essentially, all the cookies that you can probably ever get when you visit or you get when you visit a website are they are generated when you visit the website. And furthermore, the cookies change when you authenticate with the website and you or you log out right so when you log in, you get a different set of cookies. And when you log out, you get a different set of cookies. This is where the whole idea of session management comes into play and how cookies are utilized for this system. So I'm currently running OSU shop. So I showed you guys how to set that up. Let me know if you found it helpful. So I have it set up and open as it opened up in my browser. Now what I'm going to be covering is how to collect these cookies and understanding the difference between an unauthenticated cookie and the authenticated cookie. So Usually, what I have, or what I use to my advantage is if you're using Google Chrome or Firefox, you you can get a cookie collection or a cookie editor add on that allows you to edit the cookies. But as I said, we're not going to be looking at editing them right now, because we don't know what to change in them, this video is going to be focused on collecting them and then analyzing them to see what information they have within them. All right, so I've currently I reset this, the OWASP juice shop. And the reason I did that is just to start off fresh. And I said, we're going to be using this for performing all of the examples that we'll be showing you so that we can learn all the concepts. So I'm just gonna, before we log in, I just want to show you the first set of cookies that we'll get once we were when we visited the site. Don't worry about the other links, we'll get to them in a second. Alright, so I'm using the cookie editor right here, you can find this same one for Firefox, that's what I'm using. They are also other ones for Google Chrome, if you want to do that. And in addition, we're not going to be using any proxy, like burp suite or the OWASP zap right now, because we're just focused on using the browser tools. And of course, these add ons here. So what I can do now is if I just go right click, and I hit Inspect Element, we have the, the developer tools right here. And if we are to go into Once you've installed the cookie editor, you can directly go into storage. And in storage, you will, you will begin you will get the cookies here and other values right here. But if you it'll be better for you to understand what's going on if you go into the cookie editor. Now in the cookie editor, you can see that we have two cookies that we've gathered here, and we have the cookie consent status. And the the i o which I'm not sure really what it does input output, output, I'm probably guessing. So when it comes down to the QB, consent status, we probably get an idea of what of what this is. What this is asking us. So when I when I opened up the website, it gave me a prompt asking me like all websites will ask you in 2018 to do is to accept their privacy policy, in their privacy policies in regards to their use of personal data and cookies. And the reason is, is because cookies can can log or have a lot of information about you. They contain a lot of information about what your what you've been doing. So this is why I've created this right now before we move along, it's very important to understand their role in session management. Okay, so we need to look at the authentic authentication tokens because that's where most of the magic happens, as you would expect. So let me just close this up. And let me just log in. So let me just use the password there, the email that I used, and the password, like so. And let me just log in. I don't want to save the password. So I've logged in now. And if I inspect the element, again, you can see in the cookie editor, let that load, it usually takes a while to load. There we are, we have the token. Now the token, this token is an authentication token. Alright, so when it comes down, when it comes down to reverse engineering a token, for example, let's use this as our example. We essentially testing it for vulnerabilities similar to a penetration test. Now you might be a little bit confused. You might be asking, Well, what what what do you mean by this? How can we perform a penetration test on this token? Well, this token is encoded. Alright. So this is if we just copy this. I don't know whether you know about this, but this is a JSON web token. Alright. So it is it is a JSON web token. And you can use the JSON Web Token decoder, I'll be posting this link in the description. This is the one that I prefer to use. If I am to paste this in here. And you can see once I've pasted it in here, it's going to give me all information. And I'm going to help you understand what we've just done. So essentially, what we have done is we have reverse engineered what this web token is all about. So now we need to look at what what it contains and what type of authorities or privileges it's giving to us. Because remember, this is an authentication token. And it is unique to us because this will, this will determine whether or not we're logged into a site or we're logged out and what access we have on the website. I'm pretty sure you already know that. All right. So when it comes to the header, now, this is very important. I've seen many web people claiming to be bug bounty hunters and they don't understand how the the web token is even structured. What is the header the header is separated from the payload. This is the header right here, up until the first full stop that is the header it's very important to understand that because they are separated from each other. In fact, the JSON web token is sorted into three parts right here you have the you have the header, you then have the payload until here. And then finally you have the signature which is right, right at the bottom here which is also separated from the rest. Okay, so when it comes down to the header, alright, the header is going to give you the of the of the token. In this case, we know it's a JSON web token, we then have the algorithm, which is the hashing algorithm used, which is the RS 256. And then the payload now in the payload, this is where things get really interesting as you would have expected, you have the status, the status code here, the data, if any data was passed the ID, we can always use the ID. Two, we can always edit the ID to see what else it can give us in terms of authentication, because different types of identification or identification tokens give us different types of access. So, as essentially this is what I was talking about, this is where you will scrutinize the the the authentication token, and try and and tamper with it to to see what different results you can you can get. So remember, we can edit this token, right, and we can edit anything about it. And then we can finally copy it. And we can use that in the OSB shop and paste it right here and re authenticate with that new token and see what results we can get. Now, of course, we're not going to do that right now, because I wanted to introduce you as to what information you're going to find and what exactly is going on here. Okay, so one step at a time. So you can see that something interesting pops up here, something extremely interesting, we have the email which for some reason, in this token, we can see that it's not very well designed because the email is in plain text, which means which means if In any case, or in any scenario, someone is able to get this token in which I authenticated within a site, they will have access to my email and my password. But you must be saying, Well, I didn't see you type out all of these random passwords here. Well, I can easily guess that this is an MD five hashed password, which means I can depending on the on the strength of the password, I can decrypt online in a second using any of the decryption tools. So if I was to just copy this right now, and I wanted to know the password, let's say this wasn't even mine, this authentication token wasn't even mine, and I found the the email and password, all I needed to do was unmatched the password, I can go to Mt five online.org, which is what I use a lot. And I paste that hash right in here. And I hit decrypt. And you can see, well, first of all, it's gonna prompt me to enter capture your storefront. This is this is getting really annoying. Now, for some reason, it always does that, as you can see, it's gonna, it's gonna find the action. Of course, this is this is dependent on the difficulty of the hash and whether or not it can find it online. Okay, so you can see that it will display the hash and the password in plain text, which in this case was passed 123. Now, of course, you can experiment with this. And you can also experiment if, for example, the authentication token that you found was using a different encryption, or a hashing algorithm for the password, the first thing you need to do is identify what it's using, and then you go about decrypting it. Now, I'm not going to be talking about the other parts here, because that's a bit that's a bit advanced. As you can see, by default, the signature, the token signature failed, which means we can tamper with this token, and we can make changes to it. And we can authenticate with it because it said, The OWASP juice shop is is designed to be vulnerable. And this is where you perform all of these tests. Okay, so when it comes down to the payload, the most important things are to look for the status, the ID and obviously, if you can get any other information in the data section, or in terms of the email and the password, that's also very important. Now, of course, it's not very easy to get a hold of someone's of someone's token, but you can do it but and then you are performing the penetration test on the token, because if someone was to write in the comment section of this video, what it was to grab the the authentication token that belongs to Facebook lets you have access to someone's computer for a few seconds. And as to get the authentication token, what would I be able to do? Well, first of all, you have to test the security of the token. And I can guarantee you that their tokens are going to be very well secured and performing the penetration or the penetration test on them will be a different ballgame. So we'll be looking at changing them or or tempering them to give us different types of access. We're going to be talking about HTTP attribute attributes and cookie security. I am currently running OSU shop and what I did is I started a fresh new instance. So I unzipped a new OSU shop. That's because I wanted to start afresh Now, of course, in the previous video, we looked at cookie analysis and tokens. But now we're going to look at how at the security aspect of how these cookies are secured and how you know how cookies are stolen and how these can be exploited with with with other exploits or functionality like cross site scripting. Now you will get to what I'm saying in a few seconds. So I have was used Stop running. And I've created the same user and password as I did last time. So it's a test@test.com, that being the email and the password is password 123. Just so you know. And I'll do that right now I'm just going to log in, as you can see, test@test.com and the password is password 123. So let me just log in. And there you are. So I've logged in and haven't solved any challenges. So when we talk about cookie security, what do I mean? Well, this can be done or can be inspected really easily. Now, of course, for this, you're not going to need any of the browser extensions or add ons, because we'll just simply just be inspecting the element here. So if we open inspect element and go into storage, and we go into cookies, and select the site, which is on localhost, you can see that if I was to click on, for example, the token, and we just look at the data, you know, that we can see within the token, if we go to the HTTP only section here, you can see that that is set to false. Now, what does that mean? Well, that means that we can potentially exploit this cookie and it storage location in the sense that it is it is, it is not secured. Now, I'll get to why and how this is happening in the in a few seconds. Alright, so if the value is set to false, it means that the cookie can be accessed and written to now how can one use this, you know, for potential attacks, or Cookie, cookie stealing, as we know it. Now, if you are an advanced web application penetration test, and you know about cross site scripting, you know, that usually attackers will use cross site scripting, to steal cookies, by sending you links, that then, you know, by sending you links to pages on the site, that you're already authenticated to, that have the the the malicious JavaScript code that will then send your cookie, your authentication cookie with your token, etc, etc, to their attack server. And from that, they can then use that to authenticate into your account, it's not common, because mostly, the, the cookies are usually secured. Now, you will run into sites that have this and this is a very, very big vulnerability in terms of severity. So if you're a bug bounty hunter, this is in the medium to low category, so not really a big exploit, but still a very, very big problem that many, many, you know, usually, I would like to say rookie developers Miss, especially when dealing with huge frameworks like node etc. I'm not going to get too deep into that. So you can see that the HTTP only is set to false. Now, what does this mean? This means that we can use utilize a lot of functionality to exploit or to display the broken or even more to send this my cookie or you know, my token, whatever you want to call it to a server or to save it, alright, to grab it to steal it, you know, simply put, so how can we exploit this? Well, we can use cross site scripting, and this is probably the most used method for this. And to do this, we can simply, we can use any of the, we can use the search, or we can use the contact. But I like using search because usually it is unfiltered. Now, when I say this, I'm you know, many of you will say, Well, most of the big sites, well, I'm not talking about the big sites, the big sites, obviously have to take this into consideration. I'm talking about sites that are developed by small teams, they usually don't take this into consideration. So if I was to just type in a simple cross site scripting script that will essentially display my cookie right now as I'm authenticated. So to do that, I'll just type in script. And for this, we're using an alert here to display to us so alert, and we're gonna say document, whoops, stop, sorry, document, dot cookie. And, and then we're gonna just close the script like so. So this will display our cookie to us. Not really helpful. But you can imagine if we were to have this permanently posted, for example, as a post here, and then whenever we send that link to someone, and they click on it, we can customize this JavaScript code to send their cookie to our web server. And once we get their cookie, you basically know what's gonna happen there. So if I hit Enter to search, you can see that it's going to display our cookie and our token, and this is extremely dangerous. You might not get the context, but I'll explain it in a second. So essentially, this information can be passed and sent anywhere across the world, provided that the that your target clicks, clicks on a link in which this, this script is executed. Now, the question that you might be asking yourself as well, where else can we post this in in sort of a malicious way and I know that I sound malicious right now, but I'll also get into how to mitigate this. And again, mitigating It is really simple. Just set your HTTP status or your HTTP attribute to true or set it to on essentially securing your cookie now You can see that once we have this, you saw in the previous video, what we could do with such information, and what info it contains in regards to the user. And how we can, we can, you know, crack the password. But for now let's focus on how this can be utilized to steal the cookie or how attackers do it. So you can also get insight if you're a white hat. So usually I can post this in here, I can put, you know, I can type the script in here. But this is not, it's probably not the best way of doing it. Because you essentially have to convince the user to go into the search bar and type this in. Not really the best of ways about going about going about this. So usually, we look for a page that allows us to, you know, to post our own stuff, or to save this to a database or to save it to the website itself. So we let's try contact us. Alright, so contact us. Yeah, that looks like a good place to start. So in the comment you it already added our author for so in the comment, we can enter, we can end our script in Yeah, and this will probably probably be saved. But we have to test it. Now. Of course, the cookie stealing JavaScript code is not something that I'm going to be telling you how to do, you can probably perform a lot of Google searches, it's part of the terms that I have to follow. In regards to YouTube's YouTube's policies about malicious content, and when what not, so I'm not going to show you the exact code, but I'll probably have it on my website, if you want to take a look at it and experiment as to how to send cookies to a another server or server that belongs to you, for example. So to do this, so now essentially, what I want to do is I want to save this script, into the contacts section, because I believe this is saved. If I looked, I looked at the structure. And indeed, this is saved. So the script is quite simple. So we can say, we can give it a title because I know the feedback is left like that. So we can say script test. And we can close the script here. So scripts, but then we have to include the the actual JavaScript code. So yeah, so let's include this script within the main one. So script. And then once we close this one, we can then use the other script. So your script, whoops script in, you can copy this code if you want. By the way, let me just zoom in, because a lot of you had actually talked to me about that, that you couldn't actually see the code. So script. And now we want to bring up the alert. Now, of course, as I said, this is not really useful, because all you're doing is displaying the cookie to the user themselves, once they visit this page, so you probably get the idea. So script, alert, and we are just simply just going to write the document, of course, it's all sending it to a malicious server, what I would have done is I would have used the document dot cookie, and I would have appended it to be sent in in the form of probably a PHP file or a PHP GET request to my server, and then my server would log all of the information being sent back. So that's the concept there behind so we can then close the script here. And sorry, we have to actually close the script. Oops, sorry, my bad. And then we close the script there. And finally, we can close the final script ending here. So script and there we are. And we can leave a rating if we want to. And there is a CAPTCHA here authentication 10 plus five. You You basically, this is also an exploit here that you can enter. Because if you look at this very basically, from a simple perspective, the capture here is again, is another false positive. And again, I know I'm dragging this, I'm dragging it a lot. But But what I'm trying to explain here is, if you are going to, you're going to be performing a penetration test on a web site, you need to understand that, from the perspective of false positives, you should not go after the big exploitations or the big exploits first. Alright, so if I submit this, as I know the structure of the OSU shop, this will be submitted to one of the pages in which after I click, or any other user who is authenticated clicks, will will run that script, or this script and will the cookie will be displayed on the screen. And if you want to manipulate or use your own script to send the cookie to your server, by all means go and do that. I'm not condoning it. So that is 75. And I hit submit. And what nots wrong capture 10 plus five, actually, 25. Yes, brackets of division multiplication addition, you guys must be thinking I suck at math. So that is 25 plus five, plus 10. Sorry, that's 3535. And I submit that whoops, we have to actually type our code back in Sorry about that, guys. So we can just type in script, and we're simply testing test. And then after this, we can close the first one. And script here. Whoops, sorry about that my keyboard is quite a distance from me. Alert. And my spelling mistakes are really annoying script. And finally, we can use the document. My God, man my typing document dot alert dot cookie, sorry, we are we have already sent the alert, we will use the doc document, that alert would essentially display the entire webpage, document dot cookie. And in here, we close the first script. And sorry, the the initial script. And then we close the last one year. So script. And we close that right there. And finally, we can give this a rating and resubmit. And that should submit it. I don't know what the issue is here. And then there we are. Also some Alright, so there we are. Thank you for your feedback. So you did submitted there. Let me zoom back out. Now, you can see that, where would you go to launch the script? That's, that that will be the question that you might be asking. So on this in this structure, you can pretty much experiment with all the other pages. And again, I do recommend that you use you know directory discovery tools, like there Buster go buster, whatever is comfortable for you. So with this in mind, if I was to just click on About Us, you can see that that is where the the the feedback in regards to contact is stored. So there you are, there's the cookie. And if I was to if I was to have implemented a script that would send the cookie to my server, once I access to this page as an authenticated user, it would send my my session ID all of that good stuff to my web server, I now be able to crack the password and authenticate with your account. As simple as that without ever knowing your password without ever trying to have guessed it without without ever trying to have exploited your system. I exploited the web application. And because of the the ability of the developer of the web application to secure the cookies, I was able to get into your account and god knows what else you can do in that person's account. And this is you know, this is tribute to my all my Facebook hacker friends out there who think hacking Facebook is about cracking and brute forcing. There you go, you know, web applications can can be cracked in or can be exploited in different ways. Now, of course, as I said, it's going to get really exciting as we move along with Duchamp. And that's the reason I'm using it because it explains how this can be done on a real website. And yeah, we're going to be looking at OWASP juice shop. And it seems to replicate what a real web application would be a fairly poorly designed one. But the thing I like about it is, it has varying levels, levels of difficulty. And that's really, really awesome. I have it set up on Heroku, as you can probably see right over here. And that works perfectly fine for me because I you know, I wanted to set it up really quickly, I want to run it on my local server, you know, using node or Docker. That's really is, I really didn't have the time to do that. But if you want to you can, you can use Heroku. And it should be free for you. So yeah, definitely go ahead and give it a try. And you should have a an instance set up for yourself. So you can go ahead and do it. And it's giving us a prompt here telling us that this website uses fruit cookies to ensure you get the juiciest tracking experience. Now, from my experience, I would hit accept the cookies because essentially, that's what keeps track of your progress. And yeah, that's pretty, that should be quite good. Now as for my browser, I'm using the latest version of Firefox and I have you know, plugins or add ons like cookie editor. And that's pretty much what we'll be needing In this video, I hope and we don't have the the proxies here like sorry, Foxy proxy to allow us to use things like burp suite or zap whatever you want to use. OK, so let's get started. Now the first challenge, as I believe is to get the the scoreboard and we should start from there. And to do this, I think I have done this already. That's really very simple. All we need to do is well first of all before we actually do that, the interface is quite simple. It is a juice shop as you probably can see and could have understood and they sold juice. Now the great thing that I like about OSU shop is that this replicates a real life a web application with you know, security, misconfigurations, etc, etc. So if I log in, you have your login page right over there, man, you can create a new account if you want to, you can search where the Contact Us page allows us to, you know, essentially contact whoever is behind the site. Then we have an About Us page. And the thing I like about this is, as I said, it replicates what I would call a real web application. Now when you talk about, about the scoreboard, I think that can be accessed really quickly by going into scoreboard like so. So, you know, we can just hit scoreboard. And if I enter, that should give us the scoreboard. Alright, so it gives us the notification once you've completed the challenge, and the reason it does this is to notify you of your progress. Remember, this can be considered a capture the flag type of challenge, but I wouldn't call it this I think this is fantastic for essentially explaining the concept here. Alright, so let me explain how the scoreboard is essentially works. Alright, so a scoreboard is as follows. Sorry about that, if you had my phone, it always seems to do that. So we have, we have the challenges sorted in terms of difficulty. So we have a one star, two star, three star, four star, five star and six star. And they all have various challenges within them. So for example, the the difficulty sought in terms of star so you get the idea, one star is quite easy, two stars, you know, not so easy, we have three stars, things are getting a bit sweaty here, four stars, now we're talking five stars, I'm banging my head on the wall, and six stars, that's going to take you probably a few, a few days, or, you know, hours depending on your determination. Alright, so you can see it also gives you the gives you the challenge names here. So if I click on the two star challenges, you can go ahead and look at the challenges there. And we brought I think in the previous videos, we covered a lot of the two star and three some of the four star challenges that we wanted to go through. So the three star challenges are where things get really awesome, because it does start logging in with other users. And there's a bit of cross site scripting, I'm not going to go through all of that, let's start off with what we can do. Alright, so the first challenge in the first is access the administration section of the store, or right, so I'm guessing we have to try and log in, I think I've done this, this is the first challenge, we have to access a confidential document provoked an error. That is not gracefully, very gracefully handled, not to show that is let us redirect you. I'll try and cover as many as I can. In one video, we have cross site scripting attack. This was simple. I think we covered this. So yeah, we can pretty much run that in one of these right over here. So script, and alert, as it already gives you hints these are very, very easy. So I can just say test. Have I given the OP Sorry, my bad. So yeah, there we are test. And we close that up. And we also close the script right over here. And we hit Enter. And there we are. So that is one of the challenges solved, hopefully did pop up there. So if we go back to the scoreboard, it still tells us for some reason, the web application is too low, it's not told us that we have performed a reflected cross site scripting, all those I don't know, right, so reflected. Anyway, we'll get to that when we get to it. So if we inspect the login page, what we can do is we can create a user. So I'm going to create a user here. And I'll just use a simple user here called test@test.com. And the password or call that password. And I'm going to repeat the password here. And I'll just call the password password. And I'm just going to use name of your favorite pet. And I'm just going to say dog right over here. I'm going to hit register. And we're going to save that. Alright, so I can log in now. Did I log in with the correct test? Yeah, there we are. And we're going to log in, and we are logged in. Alright, so let me just zoom out. So the interface does not really crashed on us. Let me just get rid of that. All right, so it's sorted out really well. We have the language selector here your basket, which essentially allows you to select your to view the items in your basket, you then have your coupon if you want, if you want to use a coupon and you have your checkout, which essentially I believe takes you to the the OWASP juice shop, donate page if I'm not wrong. Let's just see if that is correct. Yeah, yeah. So if you want to support the project, I would, you know, you can donate to them. It's a really great project. I really do recommend that if you can you do so. So you can change your password, which is awesome. I think we also took a look at this and how to change it using using the GET requests. Contact us where you can necessarily write in, you can contact the person via the site or the administrator as I would believe. You can comment, recycle recycle what this requester recycling box so you can type in liters here that has a selector. Alright, okay, that's not too bad. We have a complaints board. And the scoreboard itself here, which for some reason, keeps doesn't really load. So let's try and work on the first section. As I mentioned, I'll try and cover as much as I can here. And you have the About Us here that has some sort of Let's see some sort of checkout or boring terms of views. Let me just check the scoreboard what exactly are we supposed to do? Because access the administration section? What's in the two star here? login with the administrator. All right, so we're trying to access the administration section. So let's try and access that right over here. So I'm just gonna type in admin administration, like so I'm gonna hit Enter. And yeah, that was pretty easy. And we get the email right over here, admin and do shop. That's the admin email. And we have all the emails right over here. So we have you met juice, juice shop, Bender, and some other uses. And we have also, yeah, alright, so we got the registered users customer feedback, and the recycling requests that have been posted so far. Which means you're starting from the basics. So I think we can try and log in with admin, but we don't know the password. So yeah, so I'm just going to log out. And let's see if we can log in with the password here. admin, I do shop, and I probably I'm probably guessing we have to use SQL injection. And in this case, I think I know what to do, because I have done this before. But it has been changed quite a bit since the last time because I think in the previous versions, it was with admin only, there was no domain oza username, I'm not too sure. Anyway, let's try and see if we can throw some errors here. So if I log in, alright, so that means you have to provide a password. So let me just try and use the single quotation. And let's see if that Yeah, it does throw an error. And there Yeah, we completed the other challenge, which you successfully solved the challenge error handling provacan errors here. So essentially, performing error enumeration, if that's something you've never heard of, it's essentially where you just try and see all the CE o 's fuzzing really just throwing, you know, information at the system, seeing how it responds. And we get here the query. So we are performing SQL injection, because as you can see, tells us here we have the the query right over here, which is telling us select and what this is saying is select all entries from the user table where emails are equal to and we specify the single quotation. And the password is what is this? This looks like a hash? What hash is this? Let me just check. I'm think it might be MD. Five, I'm not too sure. Let me just check this hash identifier. And we just paste that in there. Sorry about that. Let me just paste that in there. Yeah, this is an MD five hash. So that probably let's just see if we can decrypt that or decode that. So I'm just gonna say MD five decrypter, or something like that. Let's just see if we can do this online really quickly. Come on, come on. I want to see what error because that's, that's a password. Let's decrypt that. And we'll for some reason, it's taking too much time here. So yeah, yeah, it's essentially hashing the password. Alright, interesting stuff there. We actually now know that the password is being hashed, obviously, you know, with the Mt. Five, hashing algorithm or protocol, whatever you wanna call it. So original. And yeah, that is the query statement there. So we can try some basic SQL injection. And some of the basic ones to log into admin or to essentially log into the administration, the admin panel is, now the thing that's weird is are we going to use the password do we're trying to get authentication so that means let me disclose that. That means if we just throw the error one more time, or get the when you were able to get the query here. So we are saying select actually start from there. Select from users, so select all queries, all entries from the user table, from where email use the table. So there's users Alright, so the user, the user table as email and password, okay, I follow now. So that means we can try we can try, we can try and use the or statement here. And probably we can use the not statement if we are going to Yeah, that will make a lot of sense, but we only using email so we'll keep the single quotation. So what that means is, is if you know about SQL injection, hopefully I can explain what's going on here. So we know that the password is being hashed, we're saying select from the table where email and password. So that's the statement. So select from the table for sort of select from the users table where the email and password is going to be equal to is going to be equal to what we have entered. But remember, the the password has to be has to stay as the single quotation. So that means your we are going to be using the or so this is basic use, you guys should be knowing this, but if you want me to cover it, let me know so or equals or so or one equals one. And the other ways of doing this, I think I'll post a cheat sheet in the description section, you can check it out for yourself just to get up to scratch with what's happening. So what we're saying is we're using the or the or the syntax of or is very simple. It's where we have the what's happening here is we're seeing, we're seeing Okay, so if you know the syntax for how a query is made in SQL, it's really very simple. So we're saying select from, from the table, remember, this is specifying a table, not a column. So it says select from the users table from select from the users table, email password, so comparing and then we say all the new specify the condition with a value, we can enter our into fields. So we can say the value of the email can always be changed. And we obviously know that that is the first account that was created. And the password is going to remain the same. So we hit login. And yeah, we get still keep on getting an error here. Now, that is weird. No, because if I specify there is no comment here, or one equals one, yes. So it is working. So you can see. So select from users, where one equals one and password. Yeah, so we want to nullify and password we don't want and there. So for that we use the user comment here. And there we are. Excellent. So we're able to log in to the administrators use account. Alright, so let me explain what happened there. So as I said, the the syntax of the query was as follows we're selecting from the users table, we're selecting the email and password and comparing them to each other. So they have to match show up, you're performing a query, a simple query, and what we said is, or that's a conditional statement. So we're saying or that we specify the condition where the first value is going to be equal to the the, the first one is going to be equal to one, and we nullify the, the password where the password was we're essentially removing authentication. And we are what because we're including the comment syntax for SQL. Alright, so that was pretty simple. But now, the thing that's bothering me is we don't have the password. So let me just check the scoreboard. And let's see what progress we've made so far. So have access administration section that's not in here that is in here. So log in with the administrators use account. Marino the password. So I think that's how we're going to be logging in. We know the email, because if I just go back into administration here, administration, I hope the video is not getting too long. So we have the admin. We have the admin email here. Um, oh, yes, yes, yes, yes, we have the token. So if we inspect the element, and we go into the cookie editor, for example, we can use that or you can just use storage. But I should have done it, you know, from the cookie editor from the beginning. So we have the the token here. And I talked about this in my other video actually went through this with the token. So. So we're gonna say token, I think the site was it's a JSON tokens, a token, decode, and should be the first site here, the JSON web token. So jw t.io. That's an excellent site. And we talked about this. So if you want to watch that video, I'll post it in the description. So you can check it out. And the email is admin. So that's the authentication token, and that gives us all the information we need. All right, so we have the password here. But again, what is this hashed into? That looks like MD five again, but let me just confirm, and let's see what that gives us. So the password is hashed, as we know with MB five, so let's just confirm hash identifier, because there we are. Yeah, it is MD five. So let's just decrypt that one more time. So I'm just gonna paste in that hash there. I'm just going to decrypt let's give that a few seconds. Oh, my God, man, all the traffic lights. And let's hit verify. And yeah, there we are. The password is I mean 123 Yeah, that's that's pretty basic, but again, replicating common practice that you would find. So what was the email? Oh, boy, what was the email? Let me just log back out. Correct. All right. So let me just use the statements. Oh, yeah. So we're logging in. So all one equals one, because we're all the waters the I think we can access the the middle from the administration. Sorry about that, guys. I know, I'm getting really mixed up. Well, we're not logged in yet. So anyway, let me just log in. And we can do the administration here. stration. And the admin I do shop at juice shop, a juice.up. Yeah, that's there to confuse people. So you can guess it? And we're logging in with that. And the password is admin 123. We're going to log in, and yeah, fantastic. So you solve the challenge password strength. So that was the problem there. That's the vulnerability that they're trying to say exists. So you know, again, password strength is something that people don't take into account, login within message user credentials, without previously changing them or applying SQL. Could you have done this with SQL injection? Probably, I'll have to cover SQL injection, because we know SQL injection is one of those things that's really dependent on the query. So let me just go back to the scoreboard here. I don't understand what else is left. There's still a lot of stuff that have to cover. I talked about cross site scripting, but I think I'll cover that in the next video. We'll explain it again. What is the what is the the confidential document error handling? Or we don't have anything much they're actually someone else's basket? I did that. What else should I want to cover here? Let's look at these ones right over here. So yeah, so the authentication area here is where I want to look at. I think that's where I'm going to end this video. I know, I haven't covered any advanced stuff. But hopefully that's like an introduction. So where we, where we have been able to log into the administration in the administrators account, we are able to get the scoreboard the administration panel, what else were we able to do? We were able to provoke an error, not saying no nothing really complex there. And we were able to log in with the admin tree at the administrators group user credentials. Now we looks like we can actually get access to Max's search original users credential so again, another user that we can try and get access into. Yeah, that's gonna be it for this video. Guys. If you found value in this video, please leave a like down below. If you have any questions or suggestions, let me know in the comment section on my social networks or on my website, and I'll be sure to leave your reply and I'll be seeing you in the next video. Peace, guys.