1 00:00:00,300 --> 00:00:10,440 Whatever one, this is a niche and this is the new section entirely, you know, interesting section 2 00:00:10,440 --> 00:00:14,120 where it will be going with the application hacking so far. 3 00:00:14,160 --> 00:00:19,280 We have learned about the other end points related hacking as well. 4 00:00:19,300 --> 00:00:19,600 Very. 5 00:00:19,650 --> 00:00:22,370 And we have talked about the windows, windows hacking. 6 00:00:22,380 --> 00:00:26,010 In fact, here we'll be talking about Web application hacking. 7 00:00:26,430 --> 00:00:31,770 So before we go into it, let's go through some introduction and let's look at some of the numbers, 8 00:00:31,770 --> 00:00:38,700 statistics, the motivation and other stuff as well related to hackers than mine and everything. 9 00:00:38,820 --> 00:00:39,200 All right. 10 00:00:39,810 --> 00:00:43,800 So the first thing that is very, very important to understand is why. 11 00:00:44,670 --> 00:00:46,800 First of all, why we need to secure it. 12 00:00:47,070 --> 00:00:52,170 Because being a hacker, being an ethical hacker, our job is to have been warned. 13 00:00:52,590 --> 00:00:56,580 But there has to be a reason to have security solutions to it. 14 00:00:56,580 --> 00:00:56,890 Right. 15 00:00:57,300 --> 00:01:02,940 So I understand why people are looking for Web applications, security. 16 00:01:02,940 --> 00:01:08,940 And of course, if people are looking for application security, then only they would hire an ethical 17 00:01:08,940 --> 00:01:14,480 hacker to penetrate, to hack and secure them after that. 18 00:01:14,490 --> 00:01:14,760 Right. 19 00:01:15,390 --> 00:01:19,850 So why the security is really that important? 20 00:01:19,860 --> 00:01:29,430 Because the company itself because in the past, around 10, 15 years, if you have noticed a lot of 21 00:01:29,430 --> 00:01:35,190 news, this is all organizations have been in the news for not so good reason. 22 00:01:35,490 --> 00:01:38,190 There has been multiple data breaches. 23 00:01:38,460 --> 00:01:46,350 And many of the organizations that you see, these are the large embassies were and they have faced 24 00:01:46,350 --> 00:01:49,800 a lot of they have faced breaches. 25 00:01:49,800 --> 00:01:54,310 And then following to that, they have faced the penalties as well. 26 00:01:54,720 --> 00:02:02,310 And, of course, the biggest lulus of customer trust, loss of business, the loss of trust from their 27 00:02:02,310 --> 00:02:04,470 vendors, third party, everything. 28 00:02:04,740 --> 00:02:08,190 And that's why they keep improving their security afterwards. 29 00:02:08,820 --> 00:02:11,220 Now, that's the idea, right? 30 00:02:11,230 --> 00:02:13,470 There has been multiple attacks. 31 00:02:13,470 --> 00:02:15,270 Breaches happened in the past as well. 32 00:02:15,630 --> 00:02:23,850 Now, there are there are some stats which talk about what attempt has been taken so far and how how 33 00:02:23,850 --> 00:02:26,010 secure the moment really looks like. 34 00:02:26,370 --> 00:02:28,920 But it doesn't read that key so far. 35 00:02:28,950 --> 00:02:35,490 If you look at these stats related to 98 percent of the WordPress, vulnerabilities are due to the plugins. 36 00:02:36,420 --> 00:02:38,760 WordPress is, of course, very much popular. 37 00:02:38,760 --> 00:02:39,150 Right. 38 00:02:39,720 --> 00:02:49,690 So it said that 90 percent of the plugins are Wallabadah to the plug ins are basically has the vulnerabilities. 39 00:02:50,700 --> 00:02:56,580 In fact, the WordPress platform itself is not that weak, but the challenges comes. 40 00:02:56,580 --> 00:03:04,620 And when we start added up, we start adding multiple plug ins to it, which are not really that authorizer, 41 00:03:04,620 --> 00:03:06,480 which are not really that tested. 42 00:03:06,750 --> 00:03:12,870 And that becomes a challenge for us, but even for anybody who holds their application or sensitive 43 00:03:12,870 --> 00:03:13,770 information on it. 44 00:03:13,890 --> 00:03:14,150 Right. 45 00:03:14,610 --> 00:03:21,570 So if you look at the other sites, in fact, FBO reported three or 300 percent increase in the number 46 00:03:21,570 --> 00:03:24,260 of cybercrime cases during the covid-19. 47 00:03:24,510 --> 00:03:25,040 Of course. 48 00:03:25,050 --> 00:03:26,000 Of course, that accurate. 49 00:03:26,010 --> 00:03:26,780 And that's new. 50 00:03:27,240 --> 00:03:27,520 Right. 51 00:03:28,350 --> 00:03:37,140 So in the do in fact, during the situation itself, there has been multiple attempts based on the covid-19 52 00:03:37,410 --> 00:03:42,300 subject line, the phishing campaign that has been attempted and many other stuff as well. 53 00:03:43,200 --> 00:03:47,260 On an average, 30000 new websites are getting hacked every day. 54 00:03:47,280 --> 00:03:50,970 In fact, this news is also very much recent based on defaults. 55 00:03:52,350 --> 00:03:56,080 And this is also one of the stats and of course, many others as well. 56 00:03:56,100 --> 00:03:56,370 Right. 57 00:03:56,670 --> 00:04:05,070 So this gives you an idea that no matter how much security we keep deploying, hackers are always after 58 00:04:05,490 --> 00:04:13,170 the organization where the and where the juicy stuff really resides, where they can actually find some 59 00:04:13,170 --> 00:04:17,100 information or they can actually compromise those target. 60 00:04:17,100 --> 00:04:24,900 And they know that they can get a really good, good, good returns in terms of ransom or in terms of 61 00:04:24,900 --> 00:04:25,880 any other values. 62 00:04:25,890 --> 00:04:26,180 Right. 63 00:04:26,460 --> 00:04:33,660 It's or maybe it could be any other, you know, the average when we even talk about some other security 64 00:04:33,660 --> 00:04:34,860 or some other challenges. 65 00:04:34,920 --> 00:04:43,110 Well, you know, about user I.D., how, how, how if you look at from the hacker point of view, if 66 00:04:43,110 --> 00:04:52,410 they thought about hacking any of the user information or any of this site and retrieving somebody else's 67 00:04:52,410 --> 00:04:58,050 information or impersonation or any sort of stuff, let's get an idea how secure it is. 68 00:04:58,050 --> 00:04:58,550 In fact. 69 00:04:59,070 --> 00:04:59,550 So. 70 00:05:00,140 --> 00:05:06,590 This is basically a chat about what are the different best practices or I don't say best practice, 71 00:05:06,590 --> 00:05:14,390 but I'll tell you what are the buzzwords being used by any of the normal home user or, in fact, anybody? 72 00:05:14,420 --> 00:05:14,730 Right. 73 00:05:15,080 --> 00:05:21,560 So if you look at the passwords, the the one two three four five six, this is the password which is 74 00:05:21,560 --> 00:05:24,160 being used by more than 2.5. 75 00:05:24,530 --> 00:05:28,480 That's the number that is the number of users who used it so far. 76 00:05:28,730 --> 00:05:32,410 And just guess how much time would it take to crack this password? 77 00:05:33,410 --> 00:05:34,280 Absolutely. 78 00:05:34,290 --> 00:05:35,150 Less than a second. 79 00:05:35,150 --> 00:05:37,250 I'll tell you how exactly it's going to work. 80 00:05:37,520 --> 00:05:43,580 When we lost a brute force attack dictionary attack in the later section and then later lecturer's, 81 00:05:43,580 --> 00:05:49,910 well, you get to see you can quickly crack a password, which is of one, two, one, two, three, 82 00:05:49,910 --> 00:05:50,980 four, five, six, three. 83 00:05:51,380 --> 00:05:53,710 Number of times it's got exposed. 84 00:05:54,140 --> 00:05:55,140 That's the number. 85 00:05:56,150 --> 00:06:02,570 And if you look at these, what these are the these are the password, which is being majorly used. 86 00:06:03,200 --> 00:06:10,250 And of course, you can check it out the stats as well, which has been only online available to picture 87 00:06:10,250 --> 00:06:11,380 one password. 88 00:06:11,400 --> 00:06:12,890 This is highly being used. 89 00:06:12,900 --> 00:06:15,220 This takes only less than seconds. 90 00:06:15,560 --> 00:06:18,590 And of course, this is the, again, widely used password do. 91 00:06:19,070 --> 00:06:19,420 Right. 92 00:06:19,430 --> 00:06:27,400 So that makes their job even more easier and far before they can think of compromising the target. 93 00:06:27,410 --> 00:06:33,410 The thing of why not to compromise the user itself or maybe the admin credential of the big game if 94 00:06:33,410 --> 00:06:38,330 they were very much lucky, they didn't even get the access to the admin account. 95 00:06:38,340 --> 00:06:42,670 If the admin has such passwords, such rete password, in fact. 96 00:06:43,250 --> 00:06:43,610 All right. 97 00:06:43,880 --> 00:06:46,010 So let's understand a couple of more stuff. 98 00:06:46,010 --> 00:06:50,900 Why hackers are after your Web application or Web sites. 99 00:06:50,900 --> 00:06:53,120 What's their what's their thought? 100 00:06:53,120 --> 00:06:55,160 What what are they actually looking for? 101 00:06:55,500 --> 00:07:01,820 The first thing that the images are of very interesting stuff. 102 00:07:02,420 --> 00:07:07,520 But this makes sense when based on their motivation. 103 00:07:07,520 --> 00:07:07,840 Right. 104 00:07:08,180 --> 00:07:13,100 So the first thing that they have motivation is about sensitive information. 105 00:07:13,100 --> 00:07:20,630 They are looking for sensitive information that this information could be of credit cards, account 106 00:07:20,630 --> 00:07:23,330 credentialled personal information or anything. 107 00:07:23,330 --> 00:07:28,340 But what they actually going to do after this, once they get the credit card information, they can 108 00:07:28,340 --> 00:07:34,090 buy any, any, any stuff of using your credit card and all this stuff. 109 00:07:34,460 --> 00:07:38,270 This is now very much regular and this is keep happening every other day. 110 00:07:38,270 --> 00:07:38,570 Right. 111 00:07:38,870 --> 00:07:44,420 Although there are some security measures that other countries make use of it, like Two-Factor and 112 00:07:44,420 --> 00:07:50,780 many others, some countries still don't make use of it or some organization because they think that 113 00:07:51,320 --> 00:07:56,560 they if the customer lose the flexibility, they may lose the customer as well. 114 00:07:56,860 --> 00:07:57,210 Right. 115 00:07:57,650 --> 00:08:00,560 So still, the second is the intellectual property. 116 00:08:00,560 --> 00:08:05,450 The hackers are also offer the organization intellectual property. 117 00:08:05,600 --> 00:08:07,130 Why are they looking for it? 118 00:08:07,140 --> 00:08:15,410 It means only the state sponsored actors for maybe political reason or maybe any other reasons as well. 119 00:08:16,100 --> 00:08:21,680 But it could be even a competitor as well who is looking for certain information. 120 00:08:21,920 --> 00:08:28,730 Some, you know, organizations secret document as well or customer databases. 121 00:08:28,730 --> 00:08:30,080 But it could happen, right? 122 00:08:31,010 --> 00:08:34,190 Malware delivery medium for this purpose. 123 00:08:34,190 --> 00:08:41,210 The hacker, the hack motivation of hackers to make use of your website just as a medium so that this 124 00:08:41,210 --> 00:08:47,630 site can be used for sending and receiving or receiving all the command and control signals. 125 00:08:48,230 --> 00:08:56,030 And so even if the anybody did take the, you know, the website, they will not be they will not be 126 00:08:56,030 --> 00:08:57,470 able to track who is the hacker. 127 00:08:57,470 --> 00:08:57,680 Right. 128 00:08:57,920 --> 00:09:02,450 So they can use your website as a medium as an attack vector. 129 00:09:02,900 --> 00:09:09,710 And that case, they don't really they look for a small and medium sized website, not really, you 130 00:09:09,710 --> 00:09:16,250 know, large organization who has a lot of services on it becomes difficult to compromise their site 131 00:09:16,250 --> 00:09:16,730 as well. 132 00:09:17,390 --> 00:09:24,140 And this is important for sending some ransom command and control center, crypto mining and all the 133 00:09:24,170 --> 00:09:34,040 stuff, lots of code just for fun to simply just for fun or in any way when somebody just learned hacking 134 00:09:34,040 --> 00:09:36,890 and they just want to see how the world really looks like. 135 00:09:37,130 --> 00:09:44,330 And that's why I even I insist all of my students want to draw their own lab before going into the real 136 00:09:44,330 --> 00:09:53,420 world and never try hacking or trying to find any vulnerabilities of any of the site because it's completely 137 00:09:53,420 --> 00:09:59,750 illegal to scan or to do any kind of testing or perform any kind of hacking for. 138 00:09:59,840 --> 00:10:00,720 Out their permission. 139 00:10:00,770 --> 00:10:07,850 All right, so people do that, of course, and the thing that nobody can trace it, and that's that's 140 00:10:07,850 --> 00:10:08,860 what the point is. 141 00:10:09,350 --> 00:10:16,040 So I hope this was information I will catch in the next lecture where it will start with some basics 142 00:10:16,040 --> 00:10:21,620 of SCDP and the start moves gradually moving into Web application. 143 00:10:21,620 --> 00:10:22,920 Hacking is well done. 144 00:10:22,940 --> 00:10:25,050 Then keep learning and we'll get you in the next one. 145 00:10:25,070 --> 00:10:25,550 Thank you.