1
00:00:00,150 --> 00:00:06,780
OK, so the next vulnerability that we're going to go over is cross site request forgery or CSR.

2
00:00:07,650 --> 00:00:14,580
So Sears R.F. pretty much involves like using malicious code to take advantage of a user's trust trusted

3
00:00:14,590 --> 00:00:16,830
session inside of the browser.

4
00:00:17,100 --> 00:00:24,090
So an example is like a user, you know, you would maybe socially engineer a fish, a user and get

5
00:00:24,090 --> 00:00:30,540
them to click on a malicious link and excuse the CSF attack so that an attack would allow the attacker

6
00:00:30,540 --> 00:00:36,030
to use their current session, a.k.a. like maybe still in the cookies or something like that.

7
00:00:36,030 --> 00:00:41,490
This used for their current sessions for the browser and maybe for the banking website, and then we

8
00:00:41,490 --> 00:00:43,510
can use their account and wire ourselves money.

9
00:00:43,770 --> 00:00:47,230
So this is a very common use case when it comes to CSR.

10
00:00:48,120 --> 00:00:54,790
And if the application doesn't have the proper countermeasures in place, the application is minimal.

11
00:00:54,810 --> 00:00:59,670
So let's go try this out with the vulnerable Web application.

12
00:00:59,730 --> 00:01:03,090
OK, so the back of the Linux machine, let's go ahead and click CSR.

13
00:01:03,300 --> 00:01:06,650
So this looks like an admin password change prompt.

14
00:01:06,960 --> 00:01:13,610
OK, so there's no verification done beforehand, just this new password and then confirm new password.

15
00:01:13,890 --> 00:01:15,320
So test.

16
00:01:16,260 --> 00:01:20,100
So remember this second, this is maybe like an admin protected area.

17
00:01:20,100 --> 00:01:23,190
So, you know, the average user probably wouldn't have access to this.

18
00:01:23,490 --> 00:01:25,410
So test and then let's say test.

19
00:01:25,560 --> 00:01:28,800
So it's password changed and we can actually try that out.

20
00:01:28,800 --> 00:01:36,120
If you go back to the Brute Force One admin and then test and we see that it actually changes.

21
00:01:36,150 --> 00:01:42,840
So this tool right here actually goes through and changes the admin password.

22
00:01:43,110 --> 00:01:46,160
So knowing that it does that and we know that you are.

23
00:01:46,170 --> 00:01:48,280
Oh, so let's actually see again.

24
00:01:48,300 --> 00:01:50,070
So let's do like test to.

25
00:01:51,090 --> 00:01:52,170
Test to.

26
00:01:54,670 --> 00:02:00,670
Let's look up here at the URL, so the URL has this question mark and then it starts to give me a passing

27
00:02:00,820 --> 00:02:02,230
the different attributes.

28
00:02:02,230 --> 00:02:10,480
So password is a new test, too, and then password on, of course, F and then also change equals change.

29
00:02:10,720 --> 00:02:18,580
So if we have all three of these in the world and like this entire URL is executed, it will change

30
00:02:19,900 --> 00:02:23,420
the password to this test to right here.

31
00:02:23,440 --> 00:02:31,810
So all we need to do is really, you know, create a new URL and get someone to actually click onto

32
00:02:31,810 --> 00:02:31,900
it.

33
00:02:32,110 --> 00:02:37,510
So the point of SRF is really just to get someone to click on a malicious link that allows you to steal

34
00:02:37,510 --> 00:02:44,460
the information so or do something without their knowing or the information.

35
00:02:44,470 --> 00:02:50,290
In a sense, though, we can test this out right here just to prove like that.

36
00:02:51,070 --> 00:02:56,410
If we were to send somebody this like a link to this page and they would click on it because they thought

37
00:02:56,410 --> 00:02:57,110
it was something else.

38
00:02:57,130 --> 00:03:04,240
So say like hacked and then let's make CnF hacked as well.

39
00:03:05,590 --> 00:03:07,570
So now this is password change.

40
00:03:07,930 --> 00:03:13,260
If we go over the brute force admin hacks and now we logged in.

41
00:03:13,270 --> 00:03:19,420
So now we know that we can pretty much get someone to execute that link would be good to go.

42
00:03:19,690 --> 00:03:25,770
So now let's take this a step further and actually up the security to medium.

43
00:03:25,780 --> 00:03:30,040
So we would do that by going over here to do a security.

44
00:03:30,700 --> 00:03:38,020
We would go ahead and hit medium submit and then we can go back to see SRF and let's look at the source

45
00:03:38,020 --> 00:03:40,520
code and see kind of like what's going on.

46
00:03:40,630 --> 00:03:48,490
So this time it looks like so is doing to get requests for changing the password and still does this

47
00:03:48,490 --> 00:03:54,560
like if you look at the other one is the same thing where, you know, it gets the password, new variable

48
00:03:54,600 --> 00:03:57,910
gets to pass the CNF and then it does the execution.

49
00:03:57,910 --> 00:04:02,560
But before this happens, it actually executes this function right here.

50
00:04:02,950 --> 00:04:08,960
And this is going to check that the request is coming from the local server.

51
00:04:08,990 --> 00:04:11,670
That's all of this right here is doing.

52
00:04:11,950 --> 00:04:19,960
So if we were to try to change it, like from our machine, for example, let's see, like let's say

53
00:04:19,960 --> 00:04:23,110
Anthony and Anthony.

54
00:04:23,140 --> 00:04:23,670
There we go.

55
00:04:23,680 --> 00:04:24,640
It's a good password, right?

56
00:04:25,360 --> 00:04:26,430
It changed.

57
00:04:26,740 --> 00:04:27,850
It won't change anything.

58
00:04:27,850 --> 00:04:30,750
We don't have the confirmation that it was changed.

59
00:04:30,970 --> 00:04:32,790
If I were to go over here.

60
00:04:32,830 --> 00:04:37,060
I mean, Anthony using the password.

61
00:04:37,070 --> 00:04:37,570
Incorrect.

62
00:04:37,570 --> 00:04:38,690
So we know that didn't work.

63
00:04:38,710 --> 00:04:41,570
So now we have another loop to kind of get over it.

64
00:04:41,980 --> 00:04:51,970
So if you remember back what I said, it's checking to see if the referrer is like the request is originating

65
00:04:51,970 --> 00:04:58,900
from the server so we can use birth to actually take advantage of this and actually, you know, change

66
00:04:58,900 --> 00:05:02,290
the refer before it actually is sent over to the server.

67
00:05:02,290 --> 00:05:03,480
So we can do that.

68
00:05:03,850 --> 00:05:08,790
So we already have opened up so we can turn on our proxy right here.

69
00:05:09,130 --> 00:05:09,910
So, Bert.

70
00:05:10,920 --> 00:05:14,070
So now let's try that beautiful password, Anthony, again.

71
00:05:14,860 --> 00:05:21,420
Casey Anthony, Anthony, so we have this confirmed really quick.

72
00:05:21,420 --> 00:05:29,010
Let's go to Interceptor, see proxy intercept and make sure it says intercept is on.

73
00:05:30,150 --> 00:05:31,760
So now let's go back over here.

74
00:05:31,770 --> 00:05:32,640
We change.

75
00:05:32,880 --> 00:05:34,640
It's going to swing us over to burb.

76
00:05:35,040 --> 00:05:38,400
So as you can see, we're going to analyze calling this.

77
00:05:38,400 --> 00:05:42,030
So this, you know, are more request that we're making.

78
00:05:42,550 --> 00:05:46,210
So as you can see, this is the request that's going to be in the URL.

79
00:05:46,830 --> 00:05:49,900
This is the host that is going to.

80
00:05:50,280 --> 00:05:53,070
So the referrer is where we want to change.

81
00:05:53,310 --> 00:06:00,560
So what we can actually do, honestly, just right here, we can just change one two seven zero zero

82
00:06:00,570 --> 00:06:07,780
nine one and now is going to think that the request actually came from the local server.

83
00:06:08,580 --> 00:06:12,540
You can also do that in the header section right here in to change it because I changed it.

84
00:06:12,550 --> 00:06:17,030
There is a little bit cleaner a way to do it so you can do that.

85
00:06:17,040 --> 00:06:21,660
And then once you do that, now is going to think that the request came from the local server.

86
00:06:21,930 --> 00:06:23,410
So it must be OK.

87
00:06:23,730 --> 00:06:27,800
So let's say forward, but there we go.

88
00:06:27,840 --> 00:06:29,380
Oh, password change.

89
00:06:29,400 --> 00:06:29,810
Cool.

90
00:06:29,820 --> 00:06:31,950
So let's actually go confirm this.

91
00:06:33,060 --> 00:06:35,710
I got to set up my interceptor drop.

92
00:06:36,570 --> 00:06:37,860
Ten interceptor off.

93
00:06:39,400 --> 00:06:50,650
Let's go back brute force, though, admin and then Anthony and hey, welcome to the password protected

94
00:06:50,650 --> 00:06:51,070
area.

95
00:06:51,140 --> 00:06:58,870
So now we actually know, you know, how to modify requests so we can bypass specific security measures.

96
00:06:59,140 --> 00:07:04,240
And his associates are more realistically, though, we would need a social engineer.

97
00:07:04,250 --> 00:07:05,950
Someone is executing something.

98
00:07:06,130 --> 00:07:09,230
And one thing that we can do is actually writing a Python script.

99
00:07:09,400 --> 00:07:12,130
So I'm going to pull up a script really quick that you guys can check out.

100
00:07:12,940 --> 00:07:18,250
And you can if you can get someone to actually, you know, click the link and execute the script and,

101
00:07:18,280 --> 00:07:21,860
you know, this would actually go ahead and change the password.

102
00:07:21,890 --> 00:07:22,750
So let's look at this.

103
00:07:22,750 --> 00:07:23,210
Look at that.

104
00:07:24,050 --> 00:07:26,170
OK, so I'm inside a V.

105
00:07:26,170 --> 00:07:34,930
I made a file called CSR Asphaug P y, and it's a very simple and short Python script that's going to

106
00:07:34,930 --> 00:07:36,160
actually make the request.

107
00:07:36,490 --> 00:07:37,280
So again.

108
00:07:37,510 --> 00:07:44,050
So first, we import requests, as you know, from our previous Python talks or whatever kind of the

109
00:07:44,050 --> 00:07:45,520
basics is what you're going to need.

110
00:07:45,520 --> 00:07:50,940
If you want to make an 18th box, then we're going to have the URL in the URL right here.

111
00:07:52,210 --> 00:07:57,100
We have a password unschool newest hacked password underscore.

112
00:07:57,130 --> 00:07:58,450
CNN is hacked.

113
00:07:58,720 --> 00:07:59,950
Change equals changed.

114
00:07:59,950 --> 00:08:02,040
Those are our variables that we're passing in.

115
00:08:02,050 --> 00:08:04,680
That's the world that we're making a request to.

116
00:08:05,320 --> 00:08:08,080
And then the X equals request.

117
00:08:08,080 --> 00:08:10,150
I get your URL cookie.

118
00:08:10,160 --> 00:08:15,120
So I have this makes the HTP request and it sets the cookie.

119
00:08:15,130 --> 00:08:23,710
So with all this stuff, there is a cookie that needs to be used for authentication purposes and we

120
00:08:23,710 --> 00:08:26,260
set the security to medium.

121
00:08:26,260 --> 00:08:29,570
So if we would actually go let's go look at that really quickly.

122
00:08:30,550 --> 00:08:37,060
So if you go back into Firefox, you click the little mini bar over here and then you go to web developer

123
00:08:37,570 --> 00:08:40,930
and web console so we can get the cookie.

124
00:08:40,930 --> 00:08:44,500
Actually, just document dot cookie.

125
00:08:46,700 --> 00:08:51,230
And then it'll give us, ah, you know, cooking for the current session, so I might actually need

126
00:08:51,230 --> 00:08:54,100
to change this because it might be different than what I did before.

127
00:08:54,950 --> 00:08:57,200
So I need to change that.

128
00:08:57,200 --> 00:09:00,290
So I'm going to copy the session ID.

129
00:09:02,280 --> 00:09:03,420
Copy that over.

130
00:09:04,770 --> 00:09:10,350
Copy, and I'm going to paste it in there, so I'm going to do this really quickly.

131
00:09:11,220 --> 00:09:17,550
So the cookie is going to be important for authentication so we can actually get to this page and there's

132
00:09:17,550 --> 00:09:21,810
a way that we're going to go over later that we can actually capture people's cookies.

133
00:09:22,500 --> 00:09:23,730
So don't worry.

134
00:09:24,330 --> 00:09:27,990
Realistically, you will be able to also use this tactic.

135
00:09:27,990 --> 00:09:30,990
So paste to do.

136
00:09:32,970 --> 00:09:39,300
Here we go, inserts or other extra quotes.

137
00:09:40,380 --> 00:09:44,700
OK, so now we did so and then we also set the headers.

138
00:09:44,850 --> 00:09:48,600
So remember in burp how we had the header section.

139
00:09:48,750 --> 00:09:55,140
So we want to just set the refer header to just one two seven zero zero one.

140
00:09:55,290 --> 00:09:59,700
And then we put this like we can put this the the the directory path over here as well.

141
00:10:00,540 --> 00:10:03,390
And then we're going to print out the response, the request.

142
00:10:03,400 --> 00:10:06,850
So we have everything in here and make sure that this bracket is right here.

143
00:10:06,870 --> 00:10:16,080
Let's do it right quick and let's try to do Python's SRF Stoppie, and it's going to go go ahead and

144
00:10:16,080 --> 00:10:17,070
do the request.

145
00:10:17,400 --> 00:10:22,080
And as you can see, is pretty much sending us the response.

146
00:10:22,290 --> 00:10:26,310
So the Web page that we got back and as you can see right here, is, is password changed?

147
00:10:27,030 --> 00:10:28,200
So it must have worked.

148
00:10:28,210 --> 00:10:29,520
We can go ahead and try it.

149
00:10:29,530 --> 00:10:31,620
So go back to the brute force page.

150
00:10:32,970 --> 00:10:35,280
I mean, aniseed hacked.

151
00:10:36,430 --> 00:10:36,840
Bam!

152
00:10:36,920 --> 00:10:41,080
Now we know how to do a Python script there if we can get someone to execute that script.

153
00:10:42,490 --> 00:10:47,150
You know, it would actually go through and change their parser without them even knowing.

154
00:10:47,350 --> 00:10:49,070
And then we can go ahead and use it.

155
00:10:49,090 --> 00:10:54,820
So pretty useful, pretty useful technique and was pretty, pretty neat, actually.

156
00:10:54,820 --> 00:10:56,680
Be able to bypass and take advantage.

157
00:10:56,680 --> 00:10:57,910
Of course I for direct.