1 00:00:12,330 --> 00:00:17,880 Hey, guys, welcome back to another episode on How to Hack, and today we'll be discussing about insecure 2 00:00:17,880 --> 00:00:19,880 logging via Web, what? 3 00:00:19,900 --> 00:00:27,360 SWEPCO is a vulnerable Web application platform for us to test on WSP top 10, which is open Web application 4 00:00:27,360 --> 00:00:28,680 security project top 10. 5 00:00:28,980 --> 00:00:34,510 And we have been doing a number of tutorials as part of our Web application penetration testing series. 6 00:00:34,860 --> 00:00:41,160 So as a result of this on number three, which is sensitive data exposure, we have in login. 7 00:00:41,540 --> 00:00:48,600 So over here, it's very important for us to be able to protect the data both addressed as well as in 8 00:00:48,600 --> 00:00:55,440 transit addresses, because when a hacker is able to gain unauthorized access into the database, whatever 9 00:00:55,440 --> 00:01:01,050 they pull out, all of the tables will just be jibberish data unless they have the encryption key. 10 00:01:01,380 --> 00:01:08,520 And at the same time, for data in transit, we need to encrypt them so that whoever is in the middle, 11 00:01:08,520 --> 00:01:14,310 men in the middle attack that we have seen in the previous tutorials is that it will allow the hackers 12 00:01:14,310 --> 00:01:16,930 the ability to see all of those data. 13 00:01:16,960 --> 00:01:22,810 It is being transmitted to and fro between the browser as well as the Web application system. 14 00:01:23,130 --> 00:01:29,240 So, for example, if you join into a wireless connection and wireless connection belongs to a hacker, 15 00:01:29,460 --> 00:01:35,610 so you will be able to see all those data it is sent to and fro, especially if encryption is not enabled. 16 00:01:36,150 --> 00:01:41,640 So over here, we will learn about using packet sniffing on the Web browser. 17 00:01:41,670 --> 00:01:48,210 So over here we have the lesson and it says click the login bottom to send a request containing login 18 00:01:48,210 --> 00:01:54,060 credentials of another user, then write these credentials into the appropriate fields and submit to 19 00:01:54,060 --> 00:01:54,570 confirm. 20 00:01:54,570 --> 00:01:57,690 Try using a packet sniffer to intercept a request. 21 00:01:58,080 --> 00:02:00,000 So there are a couple of options that we can use. 22 00:02:00,160 --> 00:02:05,640 And the first option I want to demonstrate to you over here is using the web developer function. 23 00:02:05,640 --> 00:02:12,360 So you go to top right corner on the menu, clicked on it, click under a web developer and click under 24 00:02:12,360 --> 00:02:12,980 network. 25 00:02:13,290 --> 00:02:19,200 So go and click on that and it will begin tracking everything that is being sent between your browser 26 00:02:19,230 --> 00:02:22,470 as well as your Web application server. 27 00:02:22,770 --> 00:02:23,640 So in this case. 28 00:02:23,760 --> 00:02:29,190 All right, we can actually click on our login and we can click on POS and we can see over here we have 29 00:02:29,190 --> 00:02:31,080 a dot dot MVC. 30 00:02:31,120 --> 00:02:31,380 All right. 31 00:02:31,380 --> 00:02:32,790 So he's to follow five matya. 32 00:02:32,790 --> 00:02:33,420 Not a lot. 33 00:02:33,750 --> 00:02:37,260 And we can look at these parameters and we can look at a response. 34 00:02:37,800 --> 00:02:41,220 So, of course, the response is requests made it post, not support it. 35 00:02:41,580 --> 00:02:47,910 But if you look at the parameters over here in this case, immediately we can see those data is being 36 00:02:47,910 --> 00:02:51,170 sent to and fro into the Web application system. 37 00:02:51,180 --> 00:02:59,440 And of course, in this case, we have the user name Captain Jack and a password as black per. 38 00:02:59,670 --> 00:03:05,550 So this very quickly demonstrate how the hackers could have seen all those data that is being transmitted, 39 00:03:05,550 --> 00:03:07,980 especially if they are not encrypted. 40 00:03:08,130 --> 00:03:08,380 All right. 41 00:03:08,400 --> 00:03:12,900 Which is why we can see the JSON fall here on Perimeter's and we can click on submit. 42 00:03:13,230 --> 00:03:13,440 All right. 43 00:03:13,500 --> 00:03:15,480 And immediately say is congratulations. 44 00:03:15,840 --> 00:03:18,420 You have successfully completed the assignment. 45 00:03:18,900 --> 00:03:20,760 So, once again, thank you so much for watching. 46 00:03:20,970 --> 00:03:23,960 And I hope you learned something valuable in today's tutorial and the like. 47 00:03:23,970 --> 00:03:27,570 Sharing subscribe the channel so that you can be kept abreast of the latest cybersecurity. 48 00:03:27,930 --> 00:03:29,250 Thank you so much once again for watching.