1 00:00:06,780 --> 00:00:14,430 All right, so in the last lecture, we used a sequel injection vulnerability to bypass authentication 2 00:00:14,430 --> 00:00:18,660 and sign in as an admin, as you can see here. 3 00:00:19,190 --> 00:00:19,560 All right. 4 00:00:19,560 --> 00:00:25,770 And we were able to inject a single tick and completely avoid the weird clause with the combination 5 00:00:25,770 --> 00:00:28,620 of the four keyboard and a comment. 6 00:00:29,430 --> 00:00:37,440 So we go back to the Developer Tools Network, and if we lock out, try to log back in 7 00:00:43,080 --> 00:00:50,950 with that single ticket, find the post request, go to the response and you can see the query here. 8 00:00:51,540 --> 00:00:58,620 Now, the reason we were able to log in as an admin by inserting that single tick and the other one 9 00:00:58,620 --> 00:01:04,440 equals one is because the first record in the user's table probably has an idea of one and it corresponds 10 00:01:04,440 --> 00:01:05,300 to the administrator. 11 00:01:05,340 --> 00:01:08,230 You know, it's not uncommon at the first record is the administrator. 12 00:01:08,250 --> 00:01:11,100 And so what we did, I'll show you what we did, actually. 13 00:01:11,250 --> 00:01:16,650 Let's grab this query, flip over to Obsidian Control and call the sequel. 14 00:01:16,650 --> 00:01:23,100 I tap original Sky SQL query and I'll just paste it in here. 15 00:01:27,240 --> 00:01:30,810 Contrary, Tony, let's just do something here 16 00:01:33,570 --> 00:01:35,310 controlled to get out of preview mode. 17 00:01:35,680 --> 00:01:43,560 Let's just copy this injected SQL query when we did for the injected as we put tick or one equals one 18 00:01:43,830 --> 00:01:44,580 Tuktoyaktuk. 19 00:01:45,100 --> 00:01:52,080 It's what I want you guys to see is that this tag or one equals one does a couple of things. 20 00:01:52,590 --> 00:01:56,840 First of all, this comment comments out everything after here. 21 00:01:57,630 --> 00:01:59,190 So basically all that stuff gets deleted. 22 00:02:01,550 --> 00:02:09,290 So actually, make this again, another query looks like this, right? 23 00:02:09,830 --> 00:02:17,750 Well, now it's just saying select all columns from the user's table where the email is equal to nothing 24 00:02:18,230 --> 00:02:19,130 or one equals one. 25 00:02:19,880 --> 00:02:21,730 Well, this idea the condition is true. 26 00:02:21,890 --> 00:02:23,030 One is always equal to one. 27 00:02:23,600 --> 00:02:25,760 And therefore, this entire weird clause disappears. 28 00:02:26,180 --> 00:02:27,150 So let's reflect that. 29 00:02:27,710 --> 00:02:33,020 So now the query is just selecting all columns from the user's table and all records. 30 00:02:33,440 --> 00:02:39,290 But if the first records and admin and the code is just checking for a match for the first match, then 31 00:02:39,500 --> 00:02:44,510 all the columns for that particular user, the user name, the password, the deleted add column is 32 00:02:44,510 --> 00:02:50,040 going to be returned by the database and it's going to be used by the Web to access the restricted page. 33 00:02:50,990 --> 00:02:54,260 So that's just I just want to kind of clean that up so you guys see, you know, how that works. 34 00:02:54,440 --> 00:02:54,820 All right. 35 00:02:54,830 --> 00:02:57,800 But today we're going to get into the broken authentication piece. 36 00:02:58,100 --> 00:03:03,560 So we've already demonstrated that authentication is broken by signing in as the admin user without 37 00:03:03,560 --> 00:03:04,430 even knowing his password. 38 00:03:04,440 --> 00:03:04,720 Right. 39 00:03:05,150 --> 00:03:11,150 But when Oos uses the term broken authentication, they're referring to using username and password 40 00:03:11,150 --> 00:03:16,510 lists to force valid accounts and gain unauthorized entry into a Web app. 41 00:03:17,000 --> 00:03:22,040 So, you know, perhaps we can use a dictionary attack to sign into the Web app as another user, right? 42 00:03:22,520 --> 00:03:27,320 At least that's what I'm thinking, because if this this website is relying on password based logins, 43 00:03:27,920 --> 00:03:28,280 right. 44 00:03:28,280 --> 00:03:33,920 As the only method of authenticating users, then there's a high probability that, you know, it's 45 00:03:33,920 --> 00:03:36,030 vulnerable to brute force and dictionary based attacks. 46 00:03:36,770 --> 00:03:41,480 Now, it is true that some Web apps will actually implement brute force defenses by blocking the attackers 47 00:03:41,480 --> 00:03:43,790 IP after a failed login threshold is reached. 48 00:03:44,090 --> 00:03:49,140 But this can sometimes be bypassed by logging in with valid credentials at regular intervals. 49 00:03:49,700 --> 00:03:54,860 What'll happen is you'll try a sequence of failed attempts and then the Web app will reset the failed 50 00:03:54,860 --> 00:03:57,150 attempt counter at the first successful attempt. 51 00:03:57,650 --> 00:04:02,540 Also, you know, if the account gets locked out, we may be able to completely bypass it with a credential 52 00:04:02,540 --> 00:04:03,140 stuffing attack. 53 00:04:03,140 --> 00:04:05,090 And that's what Oos mentions here. 54 00:04:05,180 --> 00:04:09,620 And attackers have access to hundreds of millions of valid username and password combinations for credential 55 00:04:09,620 --> 00:04:10,040 stuffing. 56 00:04:10,400 --> 00:04:10,730 Right. 57 00:04:11,270 --> 00:04:12,470 Is the application vulnerable? 58 00:04:13,400 --> 00:04:18,210 Well, if the application permits automated attacks such as credential stuffing, then it may be. 59 00:04:18,740 --> 00:04:20,000 So what is this credential stuffing? 60 00:04:20,360 --> 00:04:26,240 Well, you know, instead of issuing a bunch of failed logins against a single user name, we can use 61 00:04:26,240 --> 00:04:31,120 a massive dictionary of unique username password pairs leaked from a data breach. 62 00:04:31,670 --> 00:04:37,190 And since most people we use credentials, legal credentials used against one website might also be 63 00:04:37,190 --> 00:04:38,090 valid against another. 64 00:04:39,290 --> 00:04:44,780 In addition, account walkout wouldn't work in this case because each username is only attempted once, 65 00:04:45,350 --> 00:04:45,670 right. 66 00:04:46,400 --> 00:04:51,290 And the other thing is the attacker might actually get lucky and compromised multiple accounts in a 67 00:04:51,290 --> 00:04:52,390 single automated session. 68 00:04:52,760 --> 00:04:56,240 So there's a lot of benefit to this credential stuffing attack vector. 69 00:04:56,240 --> 00:04:58,460 So let's see if we can execute this. 70 00:04:59,090 --> 00:05:00,950 So we're logged into this app as an administrator. 71 00:05:01,430 --> 00:05:05,330 Let's click on one of these options here, Free Press. 72 00:05:05,510 --> 00:05:05,840 All right. 73 00:05:05,840 --> 00:05:06,770 So there's a review. 74 00:05:07,520 --> 00:05:08,470 No to review this one. 75 00:05:09,520 --> 00:05:09,860 All right. 76 00:05:09,900 --> 00:05:10,970 What about green smoothie? 77 00:05:11,120 --> 00:05:17,510 I'm just looking for like an account or, you know, I'm just looking for like a user reviews. 78 00:05:18,560 --> 00:05:18,930 All right. 79 00:05:18,930 --> 00:05:21,290 So we've got this user, Jim, at Juice. 80 00:05:22,940 --> 00:05:25,970 Let's see if we can get into this user's account through broken authentication. 81 00:05:26,450 --> 00:05:27,830 So we're going to log out of the admin. 82 00:05:28,290 --> 00:05:33,110 Let's go back to the login form and let's see what happens if we if we go to forgot your password. 83 00:05:34,400 --> 00:05:37,420 So we'll pop his email address in here, tab down to the next box. 84 00:05:38,180 --> 00:05:43,670 An interesting number one, Firefox are telling me this connection is not secure because it's not using 85 00:05:43,970 --> 00:05:44,370 apps. 86 00:05:45,150 --> 00:05:49,130 So obviously you wouldn't want to enter sensitive information over this connection because it could 87 00:05:49,130 --> 00:05:50,840 be captured and replayed. 88 00:05:51,290 --> 00:05:56,570 But you also notice it says your eldest sibling's middle name, it's giving us a clue to the security 89 00:05:56,570 --> 00:05:57,010 question. 90 00:05:57,320 --> 00:06:01,460 So if we knew that, you know, if we do the answer to this question, if we knew the middle name of 91 00:06:01,460 --> 00:06:06,080 Jim's eldest sibling, then we could probably recreate you know, we could possibly break into this 92 00:06:06,080 --> 00:06:14,930 account by setting a new password and then plugging in, as Jim was just put like Jim in here and said, 93 00:06:14,930 --> 00:06:20,060 the password, something we change. 94 00:06:21,170 --> 00:06:26,090 All right, so telling us wrong answer to a security question, if we could automate this process. 95 00:06:27,020 --> 00:06:33,050 And then look for, you know, this response inside the EDP request that we might be able to sort of 96 00:06:33,050 --> 00:06:36,470 script up a brute force, especially if there's no mitigations in place here. 97 00:06:37,680 --> 00:06:41,700 So let's go ahead and send this to intruder and see what we can do over to berp. 98 00:06:43,290 --> 00:06:44,190 Interceptors on. 99 00:06:46,000 --> 00:06:48,190 We'll put in test test. 100 00:06:50,080 --> 00:06:54,900 And all she's tested the password, so there is some security in place. 101 00:06:58,040 --> 00:06:59,420 All right, so we've got this request. 102 00:07:00,590 --> 00:07:02,600 Control our control, shift our go to repeater. 103 00:07:03,730 --> 00:07:05,230 Controlled space descended. 104 00:07:06,310 --> 00:07:13,330 So if we just change this answer from test to something like Mike, control your bass, wrong answer. 105 00:07:13,330 --> 00:07:13,590 Right. 106 00:07:14,860 --> 00:07:20,260 And I can keep changing this James control space. 107 00:07:21,430 --> 00:07:29,350 And you can see every time the bites are sent, James, one control space, the bite to the same control 108 00:07:29,590 --> 00:07:32,940 space and the delay is pretty similar to. 109 00:07:33,430 --> 00:07:35,360 So let's send this to intruder control. 110 00:07:35,380 --> 00:07:36,640 I control shift I. 111 00:07:37,920 --> 00:07:45,000 We go to positions, we want to clear all the positions and we only care about this answer right here, 112 00:07:45,000 --> 00:07:45,720 so we'll select it. 113 00:07:47,590 --> 00:07:51,470 We'll say ad and then we need a list of payloads, right? 114 00:07:51,540 --> 00:07:59,380 We need a list of names, so we're going to get that good old Google common list of names. 115 00:07:59,410 --> 00:08:00,250 Let's see, what do we have? 116 00:08:01,650 --> 00:08:02,920 And so we've got something here. 117 00:08:04,210 --> 00:08:07,980 Yeah, so this is going to be really cool, guys, I'm going to show you how we can scrape this list 118 00:08:08,340 --> 00:08:11,520 because, you know, there's a lot of information in here that we don't need. 119 00:08:13,380 --> 00:08:14,730 You know, all we really want other names. 120 00:08:14,730 --> 00:08:16,200 We don't care about the rank and the numbers. 121 00:08:17,040 --> 00:08:22,140 So let's go ahead and get this list into a format that Berp would like, just the list of names. 122 00:08:22,950 --> 00:08:23,300 All right. 123 00:08:23,310 --> 00:08:28,470 So first, let's do a curl on this URL just to pull everything down. 124 00:08:30,990 --> 00:08:31,860 Control should be. 125 00:08:34,310 --> 00:08:39,470 All right, so we've got everything here, we can see the names are listed here, right? 126 00:08:41,070 --> 00:08:41,580 So. 127 00:08:42,840 --> 00:08:52,380 If we could just grep out lines that end in this closing table and table, Rohtak, and we should just 128 00:08:52,380 --> 00:08:55,660 get the lines that include the names we want, right. 129 00:08:55,680 --> 00:08:56,520 Not this other stuff. 130 00:08:56,940 --> 00:08:58,140 So let's do that. 131 00:08:59,220 --> 00:09:03,750 Let's say grep and we need to do a Taqi because that allows us to do regex. 132 00:09:04,710 --> 00:09:05,610 And then we can say 133 00:09:09,270 --> 00:09:10,110 something like this. 134 00:09:10,710 --> 00:09:13,130 And now we've got the lines that show us what we need. 135 00:09:13,140 --> 00:09:14,700 And it was a couple of things that we don't need. 136 00:09:15,600 --> 00:09:17,520 We don't need this output from Kearl. 137 00:09:18,360 --> 00:09:19,590 We can make Kerl silent. 138 00:09:20,940 --> 00:09:21,620 That looks better. 139 00:09:22,200 --> 00:09:23,190 And now what do we want? 140 00:09:23,670 --> 00:09:30,230 Well, we also want the names of between a TD and a closing TD right here. 141 00:09:30,240 --> 00:09:37,710 We've got a T and a closing TD so we can use some projects to get that out of there again. 142 00:09:37,710 --> 00:09:38,610 We can send it to grep. 143 00:09:39,930 --> 00:09:41,670 And what can we do here? 144 00:09:41,850 --> 00:09:45,660 We can say t that space closing, Tedy. 145 00:09:47,220 --> 00:09:53,830 And between those, we have some words, so we have word characters, one or more words, word, characters. 146 00:09:53,850 --> 00:09:55,440 That's what this backslash means. 147 00:09:56,580 --> 00:09:59,160 Now, we've got a lot of stuff, but we're getting still things we don't need. 148 00:09:59,170 --> 00:10:05,820 We only want to include the matches and so we can do the tech option to just include the matches. 149 00:10:06,480 --> 00:10:07,230 All right, cool. 150 00:10:07,260 --> 00:10:12,360 We're getting better now when we need to step off the TVs we can use set for that. 151 00:10:13,710 --> 00:10:19,290 So the first we'll get rid of that and saying substitute this. 152 00:10:20,900 --> 00:10:27,700 With whatever comes next, which will be nothing to a global match and make a case insensitive, inter 153 00:10:28,220 --> 00:10:30,110 good, then we'll just get off the last part. 154 00:10:30,110 --> 00:10:35,140 We'll strip off the trailing -- and let's say it didn't work because we need to escape that slash 155 00:10:35,600 --> 00:10:36,510 with a backslash. 156 00:10:37,370 --> 00:10:37,870 There we go. 157 00:10:38,250 --> 00:10:38,840 Looking good. 158 00:10:39,320 --> 00:10:41,190 So pipe this into a foul called middle names. 159 00:10:42,380 --> 00:10:42,740 All right. 160 00:10:42,740 --> 00:10:43,690 So we've got this file. 161 00:10:44,120 --> 00:10:45,370 It's one point for K. 162 00:10:46,310 --> 00:10:47,300 Let's put that into berp. 163 00:10:47,690 --> 00:10:48,560 There we go. 164 00:10:50,060 --> 00:10:56,750 All right, looking good, know what we can do is in the options, we can basically tell it to extract 165 00:10:56,750 --> 00:11:04,580 useful information from the response and we want this so we know what the wrong answers look like. 166 00:11:04,910 --> 00:11:05,780 So we'll just selected. 167 00:11:07,020 --> 00:11:07,710 Looks good. 168 00:11:08,250 --> 00:11:08,660 OK. 169 00:11:09,950 --> 00:11:13,220 Back to payloads and we start the attack, let's go. 170 00:11:18,260 --> 00:11:23,660 So it took about 10 minutes to go through this list, mainly because we're using Berp Community, which 171 00:11:23,660 --> 00:11:29,960 is the free version of Berp, which basically has a rate limiting, artificially introduced to encourage 172 00:11:30,680 --> 00:11:34,220 people to buy the full product, which, by the way, I strongly suggest. 173 00:11:34,880 --> 00:11:38,230 So we can actually flip through the output by sorting by length. 174 00:11:39,740 --> 00:11:43,190 And when you do that, you can see this payload. 175 00:11:43,190 --> 00:11:46,610 Samuel has a different response. 176 00:11:47,260 --> 00:11:50,310 It doesn't actually contain the wrong answer to a security question. 177 00:11:50,960 --> 00:11:55,280 Instead, it contains a TDP 200 status code. 178 00:11:56,690 --> 00:11:58,550 And you can see we've got a password that's been hashed. 179 00:12:00,140 --> 00:12:05,120 And we have a few other things, so we now know we are effectively able to brute force the answer to 180 00:12:05,120 --> 00:12:07,040 the victims security question, right? 181 00:12:07,120 --> 00:12:07,810 We know it's Samuel. 182 00:12:09,410 --> 00:12:10,820 So let's go ahead and use this to log in. 183 00:12:11,240 --> 00:12:12,400 So put Samuel here. 184 00:12:13,820 --> 00:12:14,870 Go to change. 185 00:12:16,210 --> 00:12:17,810 Password was successfully changed. 186 00:12:18,680 --> 00:12:19,730 Now we should be able to log in. 187 00:12:21,290 --> 00:12:26,120 We'll paste his e-mail address in and we'll put in the password we just created. 188 00:12:27,740 --> 00:12:32,500 And bam, we're logged in as Jim. 189 00:12:32,990 --> 00:12:33,290 Right. 190 00:12:33,560 --> 00:12:37,730 So this attack could have been mitigated by banning, you know, my source IP after a certain number 191 00:12:37,730 --> 00:12:45,020 of failed login attempts or by not reflecting the user's security question in the Web apps forgot my 192 00:12:45,020 --> 00:12:45,760 password page. 193 00:12:46,100 --> 00:12:51,200 Also, I'm using two factor authentication would have helped because even if I as the attacker had Jim's 194 00:12:51,200 --> 00:12:55,810 password, I still couldn't log in without Jim Smartphone's or security. 195 00:12:56,270 --> 00:12:56,570 Right. 196 00:12:57,110 --> 00:12:57,970 So that's the way to go. 197 00:12:58,310 --> 00:13:03,390 And in the next lecture, we're going to continue our own journey by looking at sensitive data exposure. 198 00:13:03,800 --> 00:13:06,320 So I'll see you guys in the next lecture by.