WEBVTT 0:00:03.680000 --> 0:00:07.280000 Web App Scanning with OASP Zap. 0:00:07.280000 --> 0:00:13.300000 Thus far, we have taken a look at how to utilize, how to install and configure 0:00:13.300000 --> 0:00:16.520000 Zap, how to configure the proxy, how to use it. 0:00:16.520000 --> 0:00:19.680000 We have taken a look at the user interface and the dashboard, how to customize 0:00:19.680000 --> 0:00:21.880000 that to your liking field. 0:00:21.880000 --> 0:00:26.600000 We have also taken a look at how to perform directory enumeration or how 0:00:26.600000 --> 0:00:31.000000 to perform a file and or directory brute force with Zap, specifically 0:00:31.000000 --> 0:00:35.900000 using the forced directory option or functionality. 0:00:35.900000 --> 0:00:41.420000 We can now turn our attention to arguably one of the most useful and most 0:00:41.420000 --> 0:00:43.760000 powerful features available in Zap. 0:00:43.760000 --> 0:00:46.960000 Also available in Burp Suite Professional Edition. 0:00:46.960000 --> 0:00:49.200000 So again, you're getting this feature as well. 0:00:49.200000 --> 0:00:53.220000 And that is the process of performing a web application scan. 0:00:53.220000 --> 0:00:58.440000 That is an active scan on a web application with OASP Zap. 0:00:58.440000 --> 0:01:00.240000 Now, what's the importance here? 0:01:00.240000 --> 0:01:02.120000 Why would we want to perform a scan? 0:01:02.120000 --> 0:01:06.760000 Now, when I'm referring to a web app scan, I am specifically referring 0:01:06.760000 --> 0:01:09.760000 to a web app vulnerability scan. 0:01:09.760000 --> 0:01:13.700000 So this is not just useful for attackers or if you're a penetration tester, 0:01:13.700000 --> 0:01:18.480000 but this is very useful for developers in identifying very common vulnerabilities 0:01:18.480000 --> 0:01:20.400000 that you can easily fix. 0:01:20.400000 --> 0:01:26.760000 So this is something that again, OASP Zap is highly utilized for and by 0:01:26.760000 --> 0:01:30.120000 developers whenever they're developing web applications. 0:01:30.120000 --> 0:01:32.140000 And it's something that you should do too. 0:01:32.140000 --> 0:01:37.320000 If you do develop any web app, make sure you run the actual active scanner 0:01:37.320000 --> 0:01:41.340000 or the automated scanner on a web application. 0:01:41.340000 --> 0:01:45.140000 And in this case, we'll take a look at a very cool example as to how this 0:01:45.140000 --> 0:01:51.480000 can be done. So this video has a lab environment attached to it. 0:01:51.480000 --> 0:01:56.160000 And again, you can watch it before after you can actually go through it 0:01:56.160000 --> 0:01:58.480000 before after watching this particular video. 0:01:58.480000 --> 0:02:00.020000 It's entirely up to you. 0:02:00.020000 --> 0:02:03.460000 So what I'm going to do is I'm going to switch over to the lab environment 0:02:03.460000 --> 0:02:05.200000 and we can then get started. 0:02:05.200000 --> 0:02:07.640000 So I'll see you there. 0:02:07.640000 --> 0:02:10.960000 All right. So I am back within the lab environment. 0:02:10.960000 --> 0:02:15.180000 And as always, you'll be provided with a pre-configured Kali Linux system. 0:02:15.180000 --> 0:02:19.280000 So first step, of course, is to identify the target IP, which I will do 0:02:19.280000 --> 0:02:23.540000 by opening up a terminal and typing in I have config where you want to 0:02:23.540000 --> 0:02:25.660000 identify your Kali Linux IP address. 0:02:25.660000 --> 0:02:30.180000 That is going to be associated with the interface Ethernet 1. 0:02:30.180000 --> 0:02:33.220000 So under I-NET, this is going to be your Kali Linux IP. 0:02:33.220000 --> 0:02:37.080000 So the way I and E-labs work is your subnet is most likely going to be 0:02:37.080000 --> 0:02:40.860000 different. However, the Kali Linux box is always the second IP within 0:02:40.860000 --> 0:02:45.240000 that subnet and the target system is the third IP within the subnet. 0:02:45.240000 --> 0:02:49.840000 So the Kali box is 192.138.65.2. 0:02:49.840000 --> 0:02:55.040000 That means the target is on 192.138.65.3. 0:02:55.040000 --> 0:02:58.300000 Again, remember, in your case, the subnet will be different. 0:02:58.300000 --> 0:03:02.160000 All you need to do is just copy this here and replace the two to a three 0:03:02.160000 --> 0:03:04.260000 at the end and that's the target IP. 0:03:04.260000 --> 0:03:08.600000 So to begin, we can perform a quick N-map scan. 0:03:08.600000 --> 0:03:12.700000 I'll use this fast scanning profile there and I'll also specify that we 0:03:12.700000 --> 0:03:15.320000 want to perform some service version detection. 0:03:15.320000 --> 0:03:19.880000 I'll paste in the IP I copied and replace the two at the end to a three 0:03:19.880000 --> 0:03:21.820000 and I'll hit enter. 0:03:21.820000 --> 0:03:23.160000 All right, there we go. 0:03:23.160000 --> 0:03:27.580000 And we'll see that we should have a web application running on the target 0:03:27.580000 --> 0:03:29.420000 server. Indeed, we do. 0:03:29.420000 --> 0:03:33.260000 We have Apache web server on port 80 and a MySQL database, which means 0:03:33.260000 --> 0:03:38.960000 there is some form of content management going on or access control, if 0:03:38.960000 --> 0:03:41.400000 you will. So we can actually confirm this. 0:03:41.400000 --> 0:03:45.820000 I'll just open up my standard Firefox here, not the Zap Firefox. 0:03:45.820000 --> 0:03:46.840000 And there we are. 0:03:46.840000 --> 0:03:52.800000 So it takes us to Bwap, which is an intentionally vulnerable web application. 0:03:52.800000 --> 0:03:56.640000 And as per the description, as it says here, it's an extremely buggy web 0:03:56.640000 --> 0:04:01.940000 app. So it also provides you with the default credentials, so B and bug. 0:04:01.940000 --> 0:04:04.760000 So we know that we're now going to open up a Zap. 0:04:04.760000 --> 0:04:07.980000 And what I'll do is I think we can actually close our terminal. 0:04:07.980000 --> 0:04:13.200000 We'll go into, I'll just clear out that there web application analysis 0:04:13.200000 --> 0:04:15.540000 and we'll open up OASP Zap. 0:04:15.540000 --> 0:04:19.040000 And I'm just going to increase the font size and I'll get back to you 0:04:19.040000 --> 0:04:20.600000 once that is done. 0:04:20.600000 --> 0:04:25.540000 All right, so the font size has been modified. 0:04:25.540000 --> 0:04:27.580000 I'm just going to change up the UI. 0:04:27.580000 --> 0:04:30.640000 So don't worry, I'm not going to skip through that, but I just like SAP 0:04:30.640000 --> 0:04:33.780000 to operate in a specific way. 0:04:33.780000 --> 0:04:38.240000 I'm just used to it operating with the site tree to the left, so I'll 0:04:38.240000 --> 0:04:39.820000 drag that there. 0:04:39.820000 --> 0:04:42.700000 There we go. And we can now get started. 0:04:42.700000 --> 0:04:45.300000 So we have the request and response all ready to go. 0:04:45.300000 --> 0:04:47.100000 So we'll keep this in standard mode. 0:04:47.100000 --> 0:04:52.080000 And I'm going to open up the web browser, not the browser, I'm getting 0:04:52.080000 --> 0:04:58.680000 confused now. And I will paste in the URL bar here the IP that we copied. 0:04:58.680000 --> 0:05:01.360000 In this case, doesn't look to be pasting in. 0:05:01.360000 --> 0:05:07.480000 That's weird. So I'll just open up my terminal again and just give me 0:05:07.480000 --> 0:05:08.720000 a moment as this opens up. 0:05:08.720000 --> 0:05:09.460000 So there we are. 0:05:09.460000 --> 0:05:12.140000 I have config and I'll just copy that address. 0:05:12.140000 --> 0:05:15.420000 And again, remember to change the two at the end to a three. 0:05:15.420000 --> 0:05:18.600000 Otherwise, you'll just be trying to access a web server on the Kali Linux 0:05:18.600000 --> 0:05:21.920000 box. For some reason, this doesn't allow me to paste. 0:05:21.920000 --> 0:05:25.220000 That's weird. That's very, very interesting. 0:05:25.220000 --> 0:05:27.620000 Let me just try that again. 0:05:27.620000 --> 0:05:29.860000 I believe I copied that. 0:05:29.860000 --> 0:05:31.840000 That's very weird if it did not. 0:05:31.840000 --> 0:05:34.120000 So I'll just copy that explicitly. 0:05:34.120000 --> 0:05:35.640000 And there we are, paste and go. 0:05:35.640000 --> 0:05:38.140000 And again, I'll change that to a three. 0:05:38.140000 --> 0:05:40.600000 And let's see, is this working? 0:05:40.600000 --> 0:05:44.420000 We don't want this to be HTTPS, but rather HTTP. 0:05:44.420000 --> 0:05:46.360000 That points to words. 0:05:46.360000 --> 0:05:48.540000 Bwap. So we know that everything is good now. 0:05:48.540000 --> 0:05:53.620000 And we can see that we can actually see the site there added under sites. 0:05:53.620000 --> 0:05:56.360000 If I can just expand this so you can see that clearly. 0:05:56.360000 --> 0:06:00.780000 There we are. So now that that is done, we can essentially perform a manual 0:06:00.780000 --> 0:06:03.680000 exploration or a passive crawl, if you will. 0:06:03.680000 --> 0:06:10.000000 We're going to skip the HUD there or just get rid of it altogether. 0:06:10.000000 --> 0:06:13.560000 And the first thing we can do, of course, is log into the web application 0:06:13.560000 --> 0:06:15.220000 using the credentials. 0:06:15.220000 --> 0:06:16.880000 Now do keep a note of the credentials. 0:06:16.880000 --> 0:06:20.980000 The reason why I'm pointing this out is because I mentioned that this 0:06:20.980000 --> 0:06:22.440000 video is very useful for developers. 0:06:22.440000 --> 0:06:26.740000 I'll show you how to perform an active scan, but also an authenticated 0:06:26.740000 --> 0:06:30.580000 active scan where you provide legitimate credentials so that the scanner 0:06:30.580000 --> 0:06:34.160000 can actually identify way more vulnerabilities as opposed to being a black 0:06:34.160000 --> 0:06:36.020000 box vulnerability scan. 0:06:36.020000 --> 0:06:40.580000 So in this case, we can see that the user is just B and the password is 0:06:40.580000 --> 0:06:45.120000 bug. And in this particular case, we're not going to change the security 0:06:45.120000 --> 0:06:47.280000 level. We'll just hit log in. 0:06:47.280000 --> 0:06:50.580000 And now we can start playing around with bugs. 0:06:50.580000 --> 0:06:56.080000 So we can click maybe on HTML injection get and we'll just click on hack. 0:06:56.080000 --> 0:06:58.800000 There we are. And we can enter first and last name. 0:06:58.800000 --> 0:07:03.740000 So I'll just say my name here, Alexis Ahmed, just hit go. 0:07:03.740000 --> 0:07:08.220000 There we are. You know, just essentially perform some very basic crawling. 0:07:08.220000 --> 0:07:11.900000 And you know, you can enter whatever values you want. 0:07:11.900000 --> 0:07:12.820000 Let's try a few others. 0:07:12.820000 --> 0:07:16.280000 So we also have HTML injection reflected post. 0:07:16.280000 --> 0:07:20.680000 These all vulnerabilities that we should identify just by passive crawling, 0:07:20.680000 --> 0:07:22.380000 but we'll see what this looks like. 0:07:22.380000 --> 0:07:24.980000 So I'll just repeat that here. 0:07:24.980000 --> 0:07:26.620000 I'll try a different name next time. 0:07:26.620000 --> 0:07:30.040000 I'm not that self-centered, but there we are. 0:07:30.040000 --> 0:07:35.400000 The next one we can try maybe let's try HTML injection again. 0:07:35.400000 --> 0:07:39.060000 The stored one here and we'll just say there we are. 0:07:39.060000 --> 0:07:40.380000 We can submit some data. 0:07:40.380000 --> 0:07:47.800000 So let's see. We can say that zap is way better than burp. 0:07:47.800000 --> 0:07:53.640000 Of course, that doesn't indicate any form of bias, but there we are. 0:07:53.640000 --> 0:07:54.480000 That's entered there. 0:07:54.480000 --> 0:07:58.700000 So this is trying to simulate stored HTML injection in the form of a blog 0:07:58.700000 --> 0:08:04.640000 post where we can sort of inject some custom HTML. 0:08:04.640000 --> 0:08:09.260000 So the way this would work is we could say HTML just to introduce you 0:08:09.260000 --> 0:08:09.760000 to this vulnerability. 0:08:09.760000 --> 0:08:14.200000 I'll be covering this vulnerability within its own course, but in this 0:08:14.200000 --> 0:08:17.640000 case we did this tabulate so I can say head. 0:08:17.640000 --> 0:08:21.420000 And we can then say head within the head. 0:08:21.420000 --> 0:08:23.280000 We have the title. 0:08:23.280000 --> 0:08:25.240000 So we can say test. 0:08:25.240000 --> 0:08:31.240000 And in this case, HTML that we are or rather title, my bad. 0:08:31.240000 --> 0:08:33.380000 I forgot now to code. 0:08:33.380000 --> 0:08:38.760000 And we can go into body just as a simple example, you know, body in here. 0:08:38.760000 --> 0:08:42.260000 And we'll include like an H1 here. 0:08:42.260000 --> 0:08:49.600000 So we can say zap rocks, something like that because it does indeed rock. 0:08:49.600000 --> 0:08:51.600000 I think most of you would agree to that. 0:08:51.600000 --> 0:08:54.740000 This is an H1 and you know, we can then hit submit. 0:08:54.740000 --> 0:08:58.080000 And the way that would work again just to explain this vulnerability is 0:08:58.080000 --> 0:09:02.640000 if we can inject HTML in this particular case into a blog post, then it 0:09:02.640000 --> 0:09:04.320000 would be rendered as HTML. 0:09:04.320000 --> 0:09:07.260000 Of course, there's much more malicious stuff you can do like also use 0:09:07.260000 --> 0:09:08.280000 scripts, et cetera. 0:09:08.280000 --> 0:09:10.660000 But again, that's how that works. 0:09:10.660000 --> 0:09:12.040000 We can also try. 0:09:12.040000 --> 0:09:14.520000 Let's see, do we have SQL injection here? 0:09:14.520000 --> 0:09:19.800000 SQL injection get search and we can just set that to hack. 0:09:19.800000 --> 0:09:22.380000 And you know, we can now just search for a movie. 0:09:22.380000 --> 0:09:26.060000 So something like, let's see, do we have any movies in the database? 0:09:26.060000 --> 0:09:32.860000 No, we don't. What's one of my favorite movies of all time? 0:09:32.860000 --> 0:09:35.440000 Fight Club. That's a definite. 0:09:35.440000 --> 0:09:37.020000 We don't have any results there. 0:09:37.020000 --> 0:09:40.200000 So we can sort of simulate some SQL injection here. 0:09:40.200000 --> 0:09:45.440000 If we try something else, let's see, something like Joe. 0:09:45.440000 --> 0:09:49.040000 Okay, so we have a movie in the database and it has an IMDB link. 0:09:49.040000 --> 0:09:50.200000 I'm not a fan of G.I. 0:09:50.200000 --> 0:09:53.100000 Joe. Let's try Mike. 0:09:53.100000 --> 0:09:54.880000 Mike, maybe that'll work. 0:09:54.880000 --> 0:09:57.880000 Brad, maybe John. 0:09:57.880000 --> 0:10:02.860000 Anyway, I'm just trying to perform a passive crawl here within my browser. 0:10:02.860000 --> 0:10:07.780000 Let's try SQL injection get select. 0:10:07.780000 --> 0:10:09.500000 I don't want to hide. 0:10:09.500000 --> 0:10:12.380000 All right, so this is this actually the movies that exist. 0:10:12.380000 --> 0:10:14.060000 World War Z is pretty good. 0:10:14.060000 --> 0:10:17.000000 So I'll just hit go and that just displays that there. 0:10:17.000000 --> 0:10:19.320000 All right, so fairly simple. 0:10:19.320000 --> 0:10:21.620000 We've done the get select. 0:10:21.620000 --> 0:10:23.420000 Let's try a few more. 0:10:23.420000 --> 0:10:24.980000 Actually, not I think that's enough. 0:10:24.980000 --> 0:10:30.260000 So the bottom line is if we now go into Zap and we take a look at the 0:10:30.260000 --> 0:10:35.480000 site here, we can now start to see, you know, all of these particular. 0:10:35.480000 --> 0:10:41.140000 If we take a look at the site map, we can try and see if we can identify. 0:10:41.140000 --> 0:10:42.800000 There we are. We actually have it here. 0:10:42.800000 --> 0:10:47.140000 So I'm just going to drag this slightly to the side here just so that 0:10:47.140000 --> 0:10:49.920000 is visible. But we have the post here. 0:10:49.920000 --> 0:10:53.620000 So, you know, if I open this up and we actually just click on the request 0:10:53.620000 --> 0:10:58.720000 here, you can see we have the login submission right over here. 0:10:58.720000 --> 0:11:06.140000 Okay, so we can actually just include this in our context. 0:11:06.140000 --> 0:11:12.260000 So we're going to include this in context and we're just going to specify 0:11:12.260000 --> 0:11:15.100000 this as the included in the default context. 0:11:15.100000 --> 0:11:18.880000 Now, there's a few things that we need to do here to prepare this for 0:11:18.880000 --> 0:11:22.620000 our active scan or our authenticated active scan. 0:11:22.620000 --> 0:11:26.440000 So we want to head over to authentication. 0:11:26.440000 --> 0:11:30.600000 And in this particular case, we know that this is form based authentication. 0:11:30.600000 --> 0:11:33.940000 So we need to specify the login form. 0:11:33.940000 --> 0:11:39.420000 And in this case, you know, if we click on the. 0:11:39.420000 --> 0:11:42.640000 We would need to click on the actual login form here. 0:11:42.640000 --> 0:11:46.820000 So the login form target URL, we would need to specify that. 0:11:46.820000 --> 0:11:51.140000 We already know it to a certain extent, but we can just select that under 0:11:51.140000 --> 0:11:53.380000 here. Let's see. 0:11:53.380000 --> 0:11:58.280000 We know that this is login dot PHP. 0:11:58.280000 --> 0:12:03.920000 Select that there and we then have the get there specified correctly for 0:12:03.920000 --> 0:12:05.700000 the actual post data. 0:12:05.700000 --> 0:12:08.960000 If any, we need to take a look at the request. 0:12:08.960000 --> 0:12:12.920000 Okay, so what we would need to do here is if we take a look at the actual 0:12:12.920000 --> 0:12:17.080000 body of this response, I'm just going to minimize this if I can here. 0:12:17.080000 --> 0:12:20.560000 Sorry, that minimize the entire section for burp actually should have 0:12:20.560000 --> 0:12:24.500000 copied that. But what we need is essentially this here. 0:12:24.500000 --> 0:12:27.080000 So I'll just copy that to there. 0:12:27.080000 --> 0:12:35.380000 And again, we will go and include in context, default context, their authentication. 0:12:35.380000 --> 0:12:38.380000 Form based authentication, select that. 0:12:38.380000 --> 0:12:41.080000 And we'll just say this is the login here. 0:12:41.080000 --> 0:12:42.360000 So there we are. 0:12:42.360000 --> 0:12:47.080000 And the post data in this case is specifying. 0:12:47.080000 --> 0:12:48.280000 So we have two parameters. 0:12:48.280000 --> 0:12:52.600000 We have login and password login being the username and password being 0:12:52.600000 --> 0:12:56.220000 the, you know, the, the parameter for specifying a password. 0:12:56.220000 --> 0:12:58.380000 In this case, there be and bug. 0:12:58.380000 --> 0:13:03.280000 And we have the security level set to zero and form is set to submit. 0:13:03.280000 --> 0:13:08.820000 So the username parameter in this case is going to be log in. 0:13:08.820000 --> 0:13:12.440000 For some reason that actually selected in the password parameter is going 0:13:12.440000 --> 0:13:16.980000 to be password. What else would we need to configure the law? 0:13:16.980000 --> 0:13:18.280000 Actually hold on. 0:13:18.280000 --> 0:13:20.320000 We scroll right to the bottom here. 0:13:20.320000 --> 0:13:23.500000 In fact, if I can enlarge this menu slightly. 0:13:23.500000 --> 0:13:30.100000 We would also need to specify the rejects pattern identified in logged 0:13:30.100000 --> 0:13:35.940000 out. Response messages that would obviously be just log in. 0:13:35.940000 --> 0:13:40.340000 If we take a look at the web app here and we log out. 0:13:40.340000 --> 0:13:42.520000 Yes, I want to log out. 0:13:42.520000 --> 0:13:45.700000 Yeah, that would be what we should look for. 0:13:45.700000 --> 0:13:52.300000 Just so that we know, you know, just so that we have that identified. 0:13:52.300000 --> 0:13:56.120000 But once we do that, we want to go into the users and this way we need 0:13:56.120000 --> 0:13:57.560000 to add the credentials. 0:13:57.560000 --> 0:14:00.780000 So we would need to say we're just going to click on add here. 0:14:00.780000 --> 0:14:05.600000 The username is B and the in this case, we'll just say the username is 0:14:05.600000 --> 0:14:07.740000 B and bug. So the credentials that we have. 0:14:07.740000 --> 0:14:11.080000 So the way a web developer would do this is again just specify credentials 0:14:11.080000 --> 0:14:15.320000 to log in to the web application. 0:14:15.320000 --> 0:14:17.940000 So they can they can perform their scan. 0:14:17.940000 --> 0:14:21.660000 And now we can just hit OK. 0:14:21.660000 --> 0:14:24.460000 And we also want to add this to our context. 0:14:24.460000 --> 0:14:28.140000 So I'm going to say include in context default context. 0:14:28.140000 --> 0:14:31.520000 And that should be added successfully. 0:14:31.520000 --> 0:14:33.120000 So we'll just hit OK. 0:14:33.120000 --> 0:14:35.920000 Now what we want to do now is run the spider. 0:14:35.920000 --> 0:14:38.720000 Now I'll be covering the spider in its own video. 0:14:38.720000 --> 0:14:42.700000 If we just use that there, the bulls are there. 0:14:42.700000 --> 0:14:49.000000 We can go into attack and we can click on spider just to perform the basic 0:14:49.000000 --> 0:14:54.440000 spider for us. So there we are. 0:14:54.440000 --> 0:14:58.520000 So we'll go into the dedicated spider and we'll set that to perform recursively. 0:14:58.520000 --> 0:15:03.500000 So we'll start the scan and you also pay attention to the alerts. 0:15:03.500000 --> 0:15:06.100000 We'll actually do that shortly. 0:15:06.100000 --> 0:15:11.620000 But we can see that quite a few new URLs were found quite a lot actually. 0:15:11.620000 --> 0:15:14.040000 So that's the functionality of the spider. 0:15:14.040000 --> 0:15:18.440000 But I'll be walking you through that in the next video most likely just 0:15:18.440000 --> 0:15:20.320000 to show you how that would work. 0:15:20.320000 --> 0:15:23.140000 But yeah. So we've performed the spider. 0:15:23.140000 --> 0:15:25.500000 We can now perform our active scan. 0:15:25.500000 --> 0:15:29.100000 So I'll right click on the target there and we're going to perform our 0:15:29.100000 --> 0:15:30.620000 active scan here. 0:15:30.620000 --> 0:15:34.680000 OK. So in this particular case, we're going to leave the policy as is 0:15:34.680000 --> 0:15:36.060000 and the context as is. 0:15:36.060000 --> 0:15:38.960000 We just need to change the user options here to be. 0:15:38.960000 --> 0:15:41.320000 And we can specify a custom filter. 0:15:41.320000 --> 0:15:46.300000 So I'm going to start the scan now and pay attention or take a look at 0:15:46.300000 --> 0:15:50.260000 the alerts. So it's going to discover a plethora now or rather quite a 0:15:50.260000 --> 0:15:53.600000 lot of vulnerabilities because this is an intentionally vulnerable web 0:15:53.600000 --> 0:15:58.100000 application. And you should actually see it identify those vulnerabilities 0:15:58.100000 --> 0:16:02.180000 based on the vulnerabilities we were exploring within Bwap. 0:16:02.180000 --> 0:16:06.520000 So, you know, HTML injection, SQL injection, so on and so forth. 0:16:06.520000 --> 0:16:09.800000 So we're going to let this complete. 0:16:09.800000 --> 0:16:11.020000 It's still going through it. 0:16:11.020000 --> 0:16:13.440000 We want to give it a couple of seconds. 0:16:13.440000 --> 0:16:17.540000 I do expect to see at least SQL injection being highlighted, maybe a bit 0:16:17.540000 --> 0:16:19.520000 of directory browsing. 0:16:19.520000 --> 0:16:21.620000 But we have cross site scripting there. 0:16:21.620000 --> 0:16:24.260000 Just want to see whether SQL injection will be found. 0:16:24.260000 --> 0:16:26.260000 And that's how advanced the scanner is. 0:16:26.260000 --> 0:16:30.220000 It can actually identify SQL injection vulnerabilities. 0:16:30.220000 --> 0:16:33.420000 And then, you know, as a web developer, you have the ability to go ahead 0:16:33.420000 --> 0:16:37.040000 and test them and confirm that they are that they do exist. 0:16:37.040000 --> 0:16:39.760000 And as a pen tester, well, you have pretty much hit the jackpot. 0:16:39.760000 --> 0:16:43.840000 Now, again, be very careful with the actual active scanner. 0:16:43.840000 --> 0:16:48.920000 As I said, this is something that is very traffic intensive. 0:16:48.920000 --> 0:16:51.760000 So that's why you always want to go into the options here. 0:16:51.760000 --> 0:16:57.460000 If I can resize this pane here for some reason, whenever doing this through 0:16:57.460000 --> 0:17:04.140000 my browser and my low DPI mouse, I can seem to be able to do it, which 0:17:04.140000 --> 0:17:06.000000 is very interesting indeed. 0:17:06.000000 --> 0:17:07.960000 Because on a highlight, there we are. 0:17:07.960000 --> 0:17:11.820000 Fantastic. So you can set the number of hosts scanned concurrently and, 0:17:11.820000 --> 0:17:14.880000 of course, the threads per host. 0:17:14.880000 --> 0:17:17.020000 But yeah, that is still going. 0:17:17.020000 --> 0:17:19.540000 And we found some SQL injection vulnerabilities. 0:17:19.540000 --> 0:17:24.020000 So it actually points to the page affected and shows you the parameters. 0:17:24.020000 --> 0:17:30.300000 So in this case, you can see we have the URL SQL 1 SQL injection 1 PHP 0:17:30.300000 --> 0:17:32.140000 title equals John. 0:17:32.140000 --> 0:17:36.660000 And then this is URL encoded, which is a great way to showcase one of 0:17:36.660000 --> 0:17:39.360000 the other pieces of functionality. 0:17:39.360000 --> 0:17:43.380000 And I will just copy this actually because that's quite important if we 0:17:43.380000 --> 0:17:47.200000 go into tools. And we go to the decoder. 0:17:47.200000 --> 0:17:50.680000 Hold on. We should have that here. 0:17:50.680000 --> 0:17:54.840000 Let's see options replace where is the decoder. 0:17:54.840000 --> 0:17:55.780000 Keep on for care. 0:17:55.780000 --> 0:17:57.520000 There we are. So the top now. 0:17:57.520000 --> 0:17:58.880000 So we can decode. 0:17:58.880000 --> 0:18:01.920000 This is the text to decode. 0:18:01.920000 --> 0:18:04.180000 We want to look for the URL decode. 0:18:04.180000 --> 0:18:08.100000 So you can see it's essentially passing in SQL query here. 0:18:08.100000 --> 0:18:12.640000 So that's a standard SQL injection attack there that's being passed into 0:18:12.640000 --> 0:18:20.360000 the actual URL. So SQL injection, it tells us right over here, SQL injection 0:18:20.360000 --> 0:18:21.860000 may be possible. 0:18:21.860000 --> 0:18:26.840000 And the page results were successfully manipulated using the Boolean conditions. 0:18:26.840000 --> 0:18:30.880000 And the parameter just highlights more information about the vulnerability. 0:18:30.880000 --> 0:18:33.780000 And then for developers, you also have the solution. 0:18:33.780000 --> 0:18:38.480000 So again, in this case, sanitize client side input or put in place client 0:18:38.480000 --> 0:18:40.280000 side validation. 0:18:40.280000 --> 0:18:42.600000 You know, very, very simple stuff. 0:18:42.600000 --> 0:18:44.400000 So we have that SQL injection. 0:18:44.400000 --> 0:18:48.780000 We also have, let's see in this particular case, if I can actually scroll 0:18:48.780000 --> 0:18:50.000000 to the top here. 0:18:50.000000 --> 0:18:53.200000 It looks like the active scanner is done. 0:18:53.200000 --> 0:18:55.320000 Yeah, that is possible. 0:18:55.320000 --> 0:18:59.700000 So we have also cross-site scripting vulnerabilities that were possible 0:18:59.700000 --> 0:19:06.700000 with regards to the HTML get.p also HTML injection vulnerability, which 0:19:06.700000 --> 0:19:12.340000 I pointed out. So we could be, you know, perform some, some cross-site 0:19:12.340000 --> 0:19:17.000000 scripting here. So if we open up the URL, that should just confirm that 0:19:17.000000 --> 0:19:24.240000 actually. So you can see that if we just copy this here, let's try and 0:19:24.240000 --> 0:19:25.760000 see what that brings up. 0:19:25.760000 --> 0:19:30.200000 Alternatively, we can just simulate it ourselves or I'll hit enter. 0:19:30.200000 --> 0:19:33.920000 And we actually need to log in because this was authenticated. 0:19:33.920000 --> 0:19:38.400000 So be and bug. And I'll show you this here. 0:19:38.400000 --> 0:19:40.960000 So there we are. 0:19:40.960000 --> 0:19:44.240000 So we get that is a cross-site scripting vulnerability. 0:19:44.240000 --> 0:19:45.600000 So there you go. 0:19:45.600000 --> 0:19:47.720000 That's how powerful Zap is. 0:19:47.720000 --> 0:19:50.100000 And again, I'm not comparing it to Burbsuit community. 0:19:50.100000 --> 0:19:53.640000 I do know that this feature is present in the professional edition. 0:19:53.640000 --> 0:19:59.040000 But for what you pay, which is nothing with Zap, you should do get a hell 0:19:59.040000 --> 0:20:03.080000 of a lot of functionality. 0:20:03.080000 --> 0:20:05.200000 Yeah, so that's how this works. 0:20:05.200000 --> 0:20:07.700000 Now you can see the more you start to use tools, there'll be added as 0:20:07.700000 --> 0:20:12.280000 tabs to the bottom pane here, which again, you can move wherever you want. 0:20:12.280000 --> 0:20:14.240000 It's entirely up to you. 0:20:14.240000 --> 0:20:16.000000 And in this case, the scan was done. 0:20:16.000000 --> 0:20:17.640000 We can take a look at the alerts here. 0:20:17.640000 --> 0:20:19.380000 The vulnerabilities that we're able to find. 0:20:19.380000 --> 0:20:24.760000 So we have persistent SQL injection and reflected or other cross-site 0:20:24.760000 --> 0:20:26.900000 scripting vulnerabilities. 0:20:26.900000 --> 0:20:33.680000 And these are all critical or high in terms of the risk, which is great 0:20:33.680000 --> 0:20:39.100000 to see. But of course, it's important to note that this is indeed. 0:20:39.100000 --> 0:20:44.060000 This is indeed a vulnerable and intentionally vulnerable web application. 0:20:44.060000 --> 0:20:47.240000 So we don't really need to do anything else. 0:20:47.240000 --> 0:20:51.800000 As I said, this is going to be based specifically on the type of website 0:20:51.800000 --> 0:20:56.520000 you're targeting, but be very careful with the scanner. 0:20:56.520000 --> 0:20:59.720000 I would recommend running the scanner on particular URLs. 0:20:59.720000 --> 0:21:03.780000 So an example of this would be if we just refreshed this entire process 0:21:03.780000 --> 0:21:07.440000 or started up a new session, we could run it on a particular URL. 0:21:07.440000 --> 0:21:11.540000 Maybe one of the checks we did like reflected HTML injection and see whether 0:21:11.540000 --> 0:21:14.720000 it has or suffers from any vulnerability. 0:21:14.720000 --> 0:21:17.740000 With that being said, that's going to conclude the practical demonstration 0:21:17.740000 --> 0:21:19.820000 side of this video.