1
00:00:00,180 --> 00:00:04,380
So why everyone in this lecture, what we're going to cover, we are going to learn about injections

2
00:00:04,380 --> 00:00:10,290
or discom injection, so as we all know of applications that are dynamic in nature, music scripts to

3
00:00:10,290 --> 00:00:15,210
invoke some functionality in the command line on the Web server to process the input received from the

4
00:00:15,210 --> 00:00:15,840
user end.

5
00:00:16,410 --> 00:00:21,630
And an attacker would try to get its input processed at the command line by circumventing the input

6
00:00:21,630 --> 00:00:27,450
validation filters implemented by the application cycle index and usually involves the commands on the

7
00:00:27,450 --> 00:00:28,650
same web server.

8
00:00:28,830 --> 00:00:35,220
And but it is possible that the command would be executed on a different server depending on the architecture

9
00:00:35,220 --> 00:00:36,660
of the application.

10
00:00:36,870 --> 00:00:42,940
So now let's see what are the parameters, what are the parameters where you can inject the data.

11
00:00:43,320 --> 00:00:48,690
So when you are testing of application for communication flow and you have identified that the application

12
00:00:48,690 --> 00:00:52,140
is interacting with the command line of the underlying operating system.

13
00:00:52,980 --> 00:00:58,440
So the next steps should be to manipulate and block the different parameters in the application and

14
00:00:58,440 --> 00:00:59,580
view their responses.

15
00:01:00,000 --> 00:01:04,650
So now, as you can see, they are following parameters should be tested for the communication flow.

16
00:01:04,890 --> 00:01:10,920
So the application may be using one of these parameter to command the server end or get the first you

17
00:01:11,040 --> 00:01:12,040
A listers get.

18
00:01:12,270 --> 00:01:20,490
So in this method, input parameters are sent in UOL and as you can see that the input from the client

19
00:01:20,730 --> 00:01:27,840
was passed to the server, get the matter using the method and was unable to the command decision flow

20
00:01:27,990 --> 00:01:32,150
and any user control parameters send using that method request should be tested.

21
00:01:32,460 --> 00:01:33,810
Then we are having both Porthmadog.

22
00:01:34,000 --> 00:01:41,670
So the post method input parameters are sent in the study as to the body, which is similar to the input

23
00:01:41,670 --> 00:01:48,540
being passed using the and data taken from the end user can also pass using the post method in the body

24
00:01:48,540 --> 00:01:50,190
of the HTP request.

25
00:01:50,220 --> 00:01:59,040
OK then we are having ATP header, so application often use header field to identify end user and display

26
00:01:59,040 --> 00:02:03,020
customised information to the user depending on the values in the header.

27
00:02:03,300 --> 00:02:07,170
So these parameters could also be used by application to build further queries.

28
00:02:07,530 --> 00:02:13,600
OK, so these are the parameters where you can inject the data for finding the communication flow.