1
00:00:12,460 --> 00:00:15,340
Hey, guys, welcome back to another episode on How to Hack.

2
00:00:16,310 --> 00:00:22,280
So we're at the end of the challenges for Web goat, which is a Web application penetration testing

3
00:00:22,280 --> 00:00:27,290
series that we have began with you and of course, on the challenges, we have no challenges.

4
00:00:27,530 --> 00:00:34,850
I want to take this chance to go through what happens when you are going through a use case of bug bounty

5
00:00:34,850 --> 00:00:39,560
or finding vulnerabilities manually with a Web application system or server.

6
00:00:40,430 --> 00:00:43,610
And of course, we are on the second challenge, which is, of course, over here.

7
00:00:43,610 --> 00:00:45,470
It says, can you log in?

8
00:00:45,470 --> 00:00:45,830
Is there.

9
00:00:46,100 --> 00:00:50,540
So as part of this challenge, in a real world scenario, you would have no hints?

10
00:00:50,870 --> 00:00:58,610
There will be no hints for you to take or advise where you will point to you specifically in a direction

11
00:00:58,610 --> 00:01:01,250
that ask you to try to break into the system.

12
00:01:01,400 --> 00:01:01,790
All right.

13
00:01:02,210 --> 00:01:09,800
So in this case, one wonderful workflow that you can actually try to follow is based directly on a

14
00:01:09,800 --> 00:01:17,090
hint that has been provided to you through this whole course, and that is on the left side injection,

15
00:01:17,300 --> 00:01:24,680
broken authentication, sensitive data exposure, XML external entities, broken access control, cross

16
00:01:24,680 --> 00:01:26,840
site scripting in secure.

17
00:01:27,170 --> 00:01:33,410
These serialisation vulnerable components request forgeries as well as client server attacks.

18
00:01:33,830 --> 00:01:40,730
OK, so what do I mean exactly is that as you're doing all this bug bounty web application penetration

19
00:01:40,730 --> 00:01:48,590
testing, you can actually try to go through each and every of this open web application security project,

20
00:01:48,590 --> 00:01:49,030
top 10.

21
00:01:49,820 --> 00:01:52,820
And as you try it, you realize that it becomes a workflow for you.

22
00:01:53,150 --> 00:01:56,470
And of course, in this case, we have a login page.

23
00:01:56,510 --> 00:01:56,780
All right.

24
00:01:56,780 --> 00:02:00,810
And which is going to be the most applicable for a login page.

25
00:02:00,830 --> 00:02:03,390
Chances are you will start off with bijection.

26
00:02:03,630 --> 00:02:04,010
All right.

27
00:02:04,220 --> 00:02:06,920
And you'll be looking for other input places.

28
00:02:07,190 --> 00:02:09,350
You could be looking at cross site scripting.

29
00:02:09,590 --> 00:02:15,320
So you start off as debt and you'll look into Arda Places are parts of the website where you could possibly

30
00:02:15,320 --> 00:02:21,620
try to run some of this vulnerability's checks and find out whether there are any input forms, any

31
00:02:21,620 --> 00:02:25,040
parts of the server that could be exposing data.

32
00:02:25,040 --> 00:02:28,070
So very quickly, we'll be able to find all all the details.

33
00:02:28,100 --> 00:02:28,430
All right.

34
00:02:29,300 --> 00:02:31,650
So without further ado, let us go ahead with the tutorial.

35
00:02:32,600 --> 00:02:36,110
So in this case, where we are straight into dialoging page, right.

36
00:02:36,110 --> 00:02:38,250
For this particular challenge, no hints.

37
00:02:38,270 --> 00:02:39,130
So what do we do?

38
00:02:39,170 --> 00:02:39,470
Right.

39
00:02:39,490 --> 00:02:44,120
So he says the following is a login page or we have not submitted anything.

40
00:02:44,120 --> 00:02:46,430
And it says, can you log in as Larry?

41
00:02:46,640 --> 00:02:52,610
OK, so I'm going to go ahead and enter l a r y and I'm going to enter, say, for example, password

42
00:02:52,610 --> 00:02:56,650
as Larry and see what we get in a normal use case.

43
00:02:56,690 --> 00:03:01,850
So a normal use case, meaning that as you're signing in, you're testing out the input forms and so

44
00:03:01,850 --> 00:03:02,070
on.

45
00:03:02,450 --> 00:03:09,050
You want to try to just enter what would a not more user enter into the inputs?

46
00:03:09,120 --> 00:03:15,290
OK, so go in and click on login and once you click on login, it says, please try to log in as Larry,

47
00:03:15,770 --> 00:03:17,060
not Larry.

48
00:03:17,090 --> 00:03:18,750
OK, so with a capital L..

49
00:03:19,130 --> 00:03:19,330
All right.

50
00:03:19,370 --> 00:03:20,780
So immediately we can change that up.

51
00:03:21,350 --> 00:03:23,520
I can change it to a capital L..

52
00:03:23,870 --> 00:03:24,290
All right.

53
00:03:24,290 --> 00:03:25,700
So it's case sensitive.

54
00:03:25,700 --> 00:03:30,090
And when I click on login, it says this is not the correct password for Larry.

55
00:03:30,110 --> 00:03:32,450
Please try again.

56
00:03:32,600 --> 00:03:33,040
All right.

57
00:03:33,860 --> 00:03:41,180
So obviously, right at the top here, it already has some kind of check or some kind of verification

58
00:03:41,180 --> 00:03:47,000
that you can only enter this particular user name to enter into the site.

59
00:03:47,250 --> 00:03:50,870
OK, and of course, to password, you can enter any future that you want.

60
00:03:51,050 --> 00:03:54,090
OK, so in my case, we can use a number of examples.

61
00:03:54,110 --> 00:03:54,310
All right.

62
00:03:54,320 --> 00:03:55,010
So we can try.

63
00:03:55,010 --> 00:04:00,250
For example, over here, we have a sequel injection that we could try to insert into the system.

64
00:04:00,560 --> 00:04:06,290
So, for example, I can enter a semicolon or a single code so I can enter a single code and I can enter

65
00:04:06,290 --> 00:04:07,310
password, for example.

66
00:04:07,880 --> 00:04:10,070
OK, and when I hit log in.

67
00:04:10,310 --> 00:04:14,980
All right, I'll you at the bottom, you'll be able to see this is not the correct password for there.

68
00:04:15,110 --> 00:04:20,450
Please try again so we can see this kind of details and data directly by trying it out.

69
00:04:20,510 --> 00:04:20,740
All right.

70
00:04:20,810 --> 00:04:22,540
So we can try a single code as well.

71
00:04:23,030 --> 00:04:29,450
So, for example, over here I can enter a a cut and I can copy the information and I can go into the

72
00:04:29,450 --> 00:04:32,510
password for you and I can pace it and click login.

73
00:04:32,870 --> 00:04:33,200
All right.

74
00:04:33,200 --> 00:04:37,160
So once I go in, once again, we're not able to get any response from a server.

75
00:04:37,550 --> 00:04:43,810
OK, so what we can do next is that we can go and try to automate some of the sequel injection.

76
00:04:43,820 --> 00:04:49,010
So one of it is, of course, via SQL map, which we have done as part of the course.

77
00:04:49,520 --> 00:04:53,230
The other way is more of a manual approach, which is using suite.

78
00:04:53,570 --> 00:05:00,110
So again, we can hit back to preferences, go on in network settings and we can enable the manual proxy

79
00:05:00,110 --> 00:05:00,860
configuration.

80
00:05:00,860 --> 00:05:01,820
Click OK on that.

81
00:05:02,270 --> 00:05:03,990
And we have running right here.

82
00:05:04,010 --> 00:05:08,740
OK, so all I got to do right now is I can actually turn on into SAP.

83
00:05:09,020 --> 00:05:09,380
All right.

84
00:05:09,390 --> 00:05:14,900
So once I have the intercept turn on, I can go back to the site and I can go ahead and click.

85
00:05:15,510 --> 00:05:21,210
For some kids, some data and click on login, OK, and of course, on the Web suite, OK, I can drop

86
00:05:21,210 --> 00:05:23,670
this lesson overview lesson manual.

87
00:05:24,030 --> 00:05:27,580
All this our information is always central and to the system.

88
00:05:28,200 --> 00:05:30,020
So in this case, we have a post.

89
00:05:30,030 --> 00:05:30,260
All right.

90
00:05:30,300 --> 00:05:33,000
Which is we are trying to log into the Web application system.

91
00:05:33,390 --> 00:05:38,490
And right at the bottom, we have username on a scroll log in and we have the password unaskable log

92
00:05:38,490 --> 00:05:38,630
in.

93
00:05:39,060 --> 00:05:39,320
All right.

94
00:05:39,330 --> 00:05:40,140
So I can do it right.

95
00:05:40,140 --> 00:05:46,080
Click and send to repeat it sent to repeat or you can use a control as well as a shortcut.

96
00:05:46,980 --> 00:05:52,140
So once we go to repeater, OK, we have a right, for example, over here we have the following information.

97
00:05:52,440 --> 00:05:52,820
All right.

98
00:05:53,250 --> 00:05:54,930
So here we have the following.

99
00:05:54,990 --> 00:05:58,270
OK, so we have username and we have password.

100
00:05:58,330 --> 00:06:01,770
OK, so all you're going to do is try a password so I can try.

101
00:06:01,770 --> 00:06:06,210
For example, Larita, we have tried earlier and we recognize that we were not able to get a response.

102
00:06:06,990 --> 00:06:10,440
So it says over here at a feedback, this is not the correct password for Larry.

103
00:06:10,440 --> 00:06:12,120
Please try again.

104
00:06:12,900 --> 00:06:16,320
OK, so what about if we try a single code?

105
00:06:16,470 --> 00:06:16,700
All right.

106
00:06:16,740 --> 00:06:24,330
So we have a list of all those payloads that we can inject into the Web application system or as part

107
00:06:24,330 --> 00:06:26,650
of SQL injection, as part of learning SQL injection.

108
00:06:27,180 --> 00:06:33,240
So again, this is a more menu approach in learning about how we can do manual payloads into Web application

109
00:06:33,240 --> 00:06:33,690
systems.

110
00:06:34,110 --> 00:06:35,660
So I can go ahead and click on send.

111
00:06:36,730 --> 00:06:39,600
And right here, we will get the error message.

112
00:06:39,610 --> 00:06:45,940
So sometimes a lot of this error messages, they do not get shown in the Web application system because

113
00:06:46,150 --> 00:06:53,230
to trying to mask some of this error messages, configuration feedback, that could accidentally expose

114
00:06:53,230 --> 00:06:53,830
a lot of data.

115
00:06:54,280 --> 00:06:58,290
So back here back to Bourbon Street, we are picking up all those different responses.

116
00:06:58,840 --> 00:07:01,870
So over here we can see the following or message request processing.

117
00:07:01,870 --> 00:07:06,040
Phil, necessary exception around stateman, as you can see over here.

118
00:07:06,770 --> 00:07:07,050
All right.

119
00:07:07,090 --> 00:07:15,580
We have a number of single instatement SELEK pastorate from challenge on the score uses where user ID

120
00:07:15,730 --> 00:07:16,470
is, Larry.

121
00:07:16,720 --> 00:07:16,990
All right.

122
00:07:17,020 --> 00:07:19,750
And password we have tree.

123
00:07:19,760 --> 00:07:20,770
Sengoku is right here.

124
00:07:20,830 --> 00:07:29,740
OK, so what we can do right now is we can put, for example, OK, we can put or one equal one, OK?

125
00:07:29,860 --> 00:07:36,790
And we can go ahead and click send crisis in Turner server error and we have request processing felt

126
00:07:37,240 --> 00:07:41,140
necessary exception so we can read the syntax error exception.

127
00:07:41,140 --> 00:07:45,190
So he's showing us literally what we're entering wrongly.

128
00:07:45,600 --> 00:07:48,770
OK, so in this case we can see and password.

129
00:07:48,820 --> 00:07:49,150
All right.

130
00:07:49,150 --> 00:07:50,560
It's a semi.

131
00:07:51,100 --> 00:07:54,690
We have a double single code here or one equal one.

132
00:07:54,700 --> 00:07:59,380
So what we can do instead is we can actually go ahead and enter a single code.

133
00:07:59,530 --> 00:07:59,730
All right.

134
00:07:59,770 --> 00:08:03,910
For one and then a single code again right before the last one.

135
00:08:03,910 --> 00:08:05,800
And go ahead and click send.

136
00:08:06,280 --> 00:08:06,520
All right.

137
00:08:06,530 --> 00:08:09,370
And it says, congratulations, you solved a challenge.

138
00:08:09,610 --> 00:08:15,910
Here is your flag and you can copy and paste a flag into the Web application system to track your score.

139
00:08:16,640 --> 00:08:20,590
OK, so once again, I hope you've learned something valuable and you have any questions.

140
00:08:20,590 --> 00:08:24,310
Feel free to leave a comment below and my best to answer any of your questions.

141
00:08:24,460 --> 00:08:29,350
And we'll like share and subscribe to the channel so that you can be kept abreast of the latest cyber

142
00:08:29,350 --> 00:08:30,070
security tutorial.

143
00:08:30,220 --> 00:08:31,600
Thank you so much once again for watching.