1
00:00:07,830 --> 00:00:12,570
All right, you guys, on the last lecture, we dug into insecure direct object reference, which is

2
00:00:12,570 --> 00:00:17,040
a vulnerability class subtype of broken access control.

3
00:00:17,250 --> 00:00:22,520
Now we're going to get into security misconfiguration, as you can see in our top 10.

4
00:00:22,530 --> 00:00:26,390
You know, this is a fairly broad attack, right?

5
00:00:26,460 --> 00:00:32,490
You could have unpatched floors or access to default accounts on these pages of protected files and

6
00:00:32,490 --> 00:00:33,120
directories.

7
00:00:33,810 --> 00:00:38,940
And this basically tells you, you know, what the security weaknesses are and the potential impact.

8
00:00:39,600 --> 00:00:44,670
One of the attacks, obviously, is that it can give attackers unauthorized access to system data and

9
00:00:44,670 --> 00:00:45,330
functionality.

10
00:00:45,540 --> 00:00:47,070
Obviously, it's not something that you want.

11
00:00:47,220 --> 00:00:52,710
And depending on what the attacker is able to access, it could result in a total business application

12
00:00:52,710 --> 00:00:53,340
compromised.

13
00:00:53,830 --> 00:00:58,860
OK, so obviously we want to make sure that the application isn't vulnerable and we want to prevent

14
00:00:58,860 --> 00:01:01,120
this to make sure it's not vulnerable.

15
00:01:01,140 --> 00:01:01,860
We need to scan it.

16
00:01:01,860 --> 00:01:02,610
We need to test it.

17
00:01:02,790 --> 00:01:03,840
We're going to do it manually.

18
00:01:04,260 --> 00:01:08,880
And one of the things we're looking for here is we want to see if there's, you know, error handling

19
00:01:09,060 --> 00:01:13,380
that reveals stack traces or other overly informative error messages.

20
00:01:13,890 --> 00:01:20,670
You're basically telling me attacker what to do on this next move by barfing verbose error responses.

21
00:01:20,850 --> 00:01:21,180
Right.

22
00:01:21,210 --> 00:01:26,580
The application needs to gracefully handle non-standard or unexpected input.

23
00:01:26,880 --> 00:01:29,000
And that's what we're going to test right now.

24
00:01:30,030 --> 00:01:34,980
So here we are in a wasp juice shop and we are still signed in with our Bonnie at Security plus pro

25
00:01:34,990 --> 00:01:38,280
dotcom account and one I'm going to do is take off.

26
00:01:40,160 --> 00:01:46,190
Intercept, which it is off, and we're just going to, you know, just click around.

27
00:01:48,370 --> 00:01:49,520
Just click around the application.

28
00:01:49,570 --> 00:01:54,550
We're just trying to, you know, just make sure that everything responds the way we would expect if

29
00:01:54,550 --> 00:01:57,440
I put, like, a bunch of ones in here, what gives me a limit?

30
00:01:57,460 --> 00:01:58,660
There you see it says one 60.

31
00:02:01,500 --> 00:02:06,150
Now, you could try to try this in too many and you can possibly get around this possibly and repeat

32
00:02:06,160 --> 00:02:09,650
her, but again, we're just trying to see if there's something we can do here to break the application.

33
00:02:10,820 --> 00:02:16,760
Let's go back to Berp and look at some of these requests so I can sort by the number put the most recent

34
00:02:16,760 --> 00:02:17,600
request at the top.

35
00:02:19,690 --> 00:02:21,970
And you can see there's a bunch of requests here.

36
00:02:24,130 --> 00:02:26,790
Let's see, this is rest user, who am I?

37
00:02:27,700 --> 00:02:33,310
What if I just change this to like, I don't know, he uses that doesn't exist, control our control,

38
00:02:33,310 --> 00:02:37,990
shift our control space, descend, and then we'll has changed us to like Bonnie.

39
00:02:40,520 --> 00:02:42,770
Sent unexpected path.

40
00:02:43,310 --> 00:02:46,670
Look at that unexpected path, rest user Vonne.

41
00:02:47,650 --> 00:02:49,540
And look what it's doing, it's actually telling you.

42
00:02:50,830 --> 00:02:51,500
I think this big.

43
00:02:52,360 --> 00:02:54,700
I can't get into actually telling you.

44
00:02:55,840 --> 00:02:57,100
Way too much information.

45
00:02:58,740 --> 00:02:59,520
And the response.

46
00:03:00,580 --> 00:03:02,350
It's given me the local path.

47
00:03:03,700 --> 00:03:08,300
To the Web application and is barfing local directories up to shop.

48
00:03:08,320 --> 00:03:09,180
That's my webroot.

49
00:03:09,970 --> 00:03:11,980
Obviously, this is not something you want to attack or to have.

50
00:03:12,550 --> 00:03:18,520
And it's also revealing the exact lines inside these JavaScript files that were invoked as a result

51
00:03:18,520 --> 00:03:19,300
of this error message.

52
00:03:19,810 --> 00:03:22,090
Now, you should never display information like this to an attacker.

53
00:03:22,540 --> 00:03:25,020
Attacker should not see this or even to use it.

54
00:03:25,070 --> 00:03:29,860
This first of all, you from a non security perspective, it just provides it a bad user experience

55
00:03:29,860 --> 00:03:30,700
and it's unprofessional.

56
00:03:31,030 --> 00:03:34,870
You need to gracefully handle error messages, too, from an attacker perspective.

57
00:03:35,200 --> 00:03:37,130
It's eating them in their recon exercise.

58
00:03:37,150 --> 00:03:39,070
Now, they know that this is the webroot.

59
00:03:39,070 --> 00:03:43,450
So if I'm going to drop a Web show on this box or maybe, you know, I'm able to get a remote command

60
00:03:43,450 --> 00:03:48,790
execution or I'm able to maybe explain to local file include that's where I'm going to look.

61
00:03:49,210 --> 00:03:49,570
Right.

62
00:03:49,580 --> 00:03:51,040
So, you know, obviously we don't want this.

63
00:03:51,370 --> 00:03:55,420
It's even telling us the framework we're using, which is no jazz and the express framework.

64
00:03:55,930 --> 00:04:01,480
You know, way too much information is included in this 500 internal server error attack.

65
00:04:01,540 --> 00:04:06,790
I would just want a to scan the box, look at all the HTP status codes that are 500, and then look

66
00:04:06,790 --> 00:04:10,240
at a body that would just give me what I need to watch my next move, my attack.

67
00:04:11,120 --> 00:04:13,660
Obviously, I this is a serious vulnerability.

68
00:04:13,960 --> 00:04:17,770
Make sure that your Web applications will handle, not standard input.

69
00:04:18,310 --> 00:04:22,090
In the next lecture, we will get into cross site scripting.

70
00:04:22,540 --> 00:04:24,100
I'll see you in the next lecture.

71
00:04:25,600 --> 00:04:27,160
You we come by.