1
00:00:00,090 --> 00:00:04,450
So here we are on our application we stuff suite up.

2
00:00:04,530 --> 00:00:07,800
This should just be a continuance for you every video.

3
00:00:07,920 --> 00:00:09,780
So I'm here.

4
00:00:09,780 --> 00:00:14,720
I'm going to go to account and I'm actually going to log out of this account.

5
00:00:15,860 --> 00:00:19,240
And from here I to go back to account into the log in page.

6
00:00:19,250 --> 00:00:22,490
So we're going to play as if we were on authenticated for right now.

7
00:00:23,910 --> 00:00:25,100
So what do we want to do.

8
00:00:25,110 --> 00:00:32,280
First thing when I see a log in page I want to check actually for any kind of enumeration that we can

9
00:00:32,280 --> 00:00:32,550
do.

10
00:00:32,550 --> 00:00:39,210
Username enumeration so we could do tests that test dot com and just do tests here and just submit this

11
00:00:39,510 --> 00:00:43,360
and try to log in and this is great.

12
00:00:43,360 --> 00:00:45,060
This is what you want to see.

13
00:00:45,130 --> 00:00:47,840
You don't see this all the time but this is what you want to see.

14
00:00:47,890 --> 00:00:51,610
So it says invalid email or password.

15
00:00:51,610 --> 00:00:57,700
A lot of places will just say invalid email address or incorrect password.

16
00:00:57,700 --> 00:00:59,020
That way you know.

17
00:00:59,050 --> 00:01:01,510
OK well the email address is correct.

18
00:01:01,510 --> 00:01:02,800
I don't know the password.

19
00:01:03,040 --> 00:01:07,960
If that were the situation that would be a finding it would be a low level finding but it's still considered

20
00:01:07,960 --> 00:01:12,820
information disclosure when you are allowing for user name enumeration.

21
00:01:12,820 --> 00:01:19,020
So keep that in mind when you're in a log in page like this something that you want to check now.

22
00:01:19,030 --> 00:01:22,990
From here we can go to hey I forgot my password.

23
00:01:24,310 --> 00:01:31,820
And then here we can do the same thing test that test dot com and remember we were talking about the

24
00:01:32,190 --> 00:01:34,820
username enumeration before hand.

25
00:01:35,300 --> 00:01:37,670
Well guess what's happening.

26
00:01:37,670 --> 00:01:41,430
We don't have a security question coming through here right.

27
00:01:41,870 --> 00:01:43,330
So that's an issue.

28
00:01:43,340 --> 00:01:52,260
This is username enumeration for example we did log in as the admin user and their email was admin at

29
00:01:52,270 --> 00:01:53,870
juice Dash.

30
00:01:53,920 --> 00:01:57,230
S h the o p handbook.

31
00:01:57,600 --> 00:02:00,120
Now we are able to click on this.

32
00:02:00,120 --> 00:02:00,900
This is bad.

33
00:02:00,900 --> 00:02:02,570
This is so bad.

34
00:02:02,730 --> 00:02:07,620
There are situations I see especially doing web apps all the time and bug bounty hunting all the time

35
00:02:08,100 --> 00:02:14,340
where you have the situation where if you provide an invalid email address nothing happens or you say

36
00:02:14,370 --> 00:02:17,810
even if it's just imagine there's nothing right here down.

37
00:02:17,820 --> 00:02:19,280
It just says hey I want to.

38
00:02:19,440 --> 00:02:20,490
I forgot my password.

39
00:02:20,490 --> 00:02:21,510
I don't know.

40
00:02:21,510 --> 00:02:25,770
I'm going to go ahead and just say here's my email address and submit it and they'll say we don't have

41
00:02:25,770 --> 00:02:27,660
that email on file.

42
00:02:27,660 --> 00:02:30,970
Well then that's still username enumeration right.

43
00:02:30,990 --> 00:02:37,560
So here this is also username enumeration because we weren't able to get to this security question until

44
00:02:37,560 --> 00:02:39,540
we provided a valid username.

45
00:02:39,540 --> 00:02:40,410
This is not good.

46
00:02:41,220 --> 00:02:46,340
Now we take this and it tells us hey what was your mother's maiden name.

47
00:02:46,350 --> 00:02:47,370
This is bad.

48
00:02:47,370 --> 00:02:56,250
This is very bad because it's allowing us to just go do O.S. or go do Googling and say hey you know

49
00:02:56,280 --> 00:02:57,600
I know who this user is.

50
00:02:57,600 --> 00:03:00,500
Let me look up what their mother's maiden name might have been.

51
00:03:00,570 --> 00:03:04,280
And it's very possible that it's just this person's last name.

52
00:03:04,410 --> 00:03:08,850
And then we come in here we reset their password and we're good to go and we change this.

53
00:03:08,850 --> 00:03:09,810
Right.

54
00:03:09,810 --> 00:03:18,820
So this is a very very bad example of a well a good example of a bad log in form.

55
00:03:18,840 --> 00:03:25,380
Other things you can check for is session fixation so we can create account really quick and I'll show

56
00:03:25,380 --> 00:03:26,310
you what this looks like.

57
00:03:26,340 --> 00:03:33,330
So if we're going to log in and we go not yet a customer and we'll just make a test at test dot com

58
00:03:33,330 --> 00:03:40,290
really quick and I'll make the password tests one two three four and test one two three four as well

59
00:03:41,070 --> 00:03:47,190
and we'll just do a security question of what's your eldest sibling's middle name will say.

60
00:03:47,190 --> 00:03:51,220
Bob will register here OK so now a registered.

61
00:03:51,220 --> 00:04:00,070
Let's go ahead and intercept this and we could see that we have these cookies here continue code whatever.

62
00:04:00,270 --> 00:04:05,490
A lot of times there's a session I.D. specifically let's go ahead and just send this to repeaters so

63
00:04:05,490 --> 00:04:09,120
we have this saved and then I'll turn this off.

64
00:04:09,120 --> 00:04:12,660
Let's go ahead and log in now as test at test dot com

65
00:04:16,100 --> 00:04:19,140
Test one two three four log in.

66
00:04:19,190 --> 00:04:19,420
OK.

67
00:04:19,430 --> 00:04:23,290
Now let's turn this back on and refresh and see what we got.

68
00:04:24,330 --> 00:04:24,580
OK.

69
00:04:24,590 --> 00:04:26,780
Now we have a token.

70
00:04:26,910 --> 00:04:28,020
So this is OK.

71
00:04:28,020 --> 00:04:30,060
We have this token here.

72
00:04:30,120 --> 00:04:31,080
This is good.

73
00:04:31,080 --> 00:04:35,270
So we could test here for this session and we can see.

74
00:04:35,280 --> 00:04:40,980
OK well this session didn't need to rotate because there was no cookie here to start or a session token

75
00:04:40,980 --> 00:04:41,550
to start.

76
00:04:41,910 --> 00:04:42,810
So that's good.

77
00:04:42,810 --> 00:04:45,330
This is no no session fixation here.

78
00:04:45,330 --> 00:04:45,890
We're testing.

79
00:04:45,900 --> 00:04:46,950
OK.

80
00:04:47,280 --> 00:04:50,400
We could also log out and see what happens.

81
00:04:50,400 --> 00:04:52,330
We can send this to repeater as well.

82
00:04:52,560 --> 00:04:56,260
And so we have repeater we get a request here.

83
00:04:56,270 --> 00:04:57,830
It says three or four not modified.

84
00:04:57,840 --> 00:04:59,740
That's fine.

85
00:04:59,760 --> 00:05:07,200
What we're after here is we're just trying to see if when we actually log out of this now say we log

86
00:05:07,200 --> 00:05:15,600
out and then we refresh this page if there's any cookie or token or anything in here and there's not.

87
00:05:15,600 --> 00:05:17,980
So that's a good sign as well.

88
00:05:18,480 --> 00:05:24,330
We could try as well to come into this repeater and pass along this session and see if we can get in

89
00:05:24,330 --> 00:05:31,110
with this session token if it actually expired anything or if this changes when we log into something

90
00:05:31,110 --> 00:05:31,980
different.

91
00:05:32,140 --> 00:05:36,420
And there's a lot of things that we can do playing around with these session tokens but we're after

92
00:05:36,420 --> 00:05:41,910
when it comes to this testing for broken authentication is is there session fixation here.

93
00:05:41,910 --> 00:05:50,340
And I'm not seeing it but it's good to look around at all these features and again the user name enumeration

94
00:05:50,550 --> 00:05:56,250
doesn't happen to the log in page in even if it doesn't it happens a lot on the forgot password page

95
00:05:56,640 --> 00:06:03,420
and if we're able to brute force this page repeatedly that's an issue if we're able to you know use

96
00:06:03,450 --> 00:06:09,480
default credentials here that's an issue if we're able to log in and there's no multi factor authentication

97
00:06:09,510 --> 00:06:10,510
which there isn't.

98
00:06:10,560 --> 00:06:11,780
That's an issue.

99
00:06:11,790 --> 00:06:16,560
So these are things you're going to start looking for and thinking about and prodding so not only are

100
00:06:16,560 --> 00:06:22,560
you checking you know sequel injection here which we do on log in forms and pages but we're also going

101
00:06:22,560 --> 00:06:26,430
to be checking for authentication issues before we ever log in as well.

102
00:06:26,490 --> 00:06:28,730
Can't we bypass authentication.

103
00:06:28,860 --> 00:06:31,230
So that's it for this lesson.

104
00:06:31,230 --> 00:06:32,880
Hopefully this all makes sense.

105
00:06:33,000 --> 00:06:38,480
Again I do encourage you to for every challenge to check out all the challenges here.

106
00:06:38,520 --> 00:06:44,640
And the reason we didn't actually do any of these solutions if we go into broken authentication most

107
00:06:44,640 --> 00:06:47,300
of them are relating to the reset feature.

108
00:06:47,370 --> 00:06:51,720
You could see change feature change feature or change password here in the reset.

109
00:06:51,720 --> 00:06:57,690
So for me it didn't feel like it was really a challenge was more of like going out to Google and figure

110
00:06:57,690 --> 00:07:06,030
out the answer like to a bender for examples from the TV show Futurama and it wanted you to to figure

111
00:07:06,030 --> 00:07:09,040
out his security answer just proving a concept.

112
00:07:09,060 --> 00:07:15,630
So I just wanted to talk more theoretically through this instead and again like I was saying go out

113
00:07:15,630 --> 00:07:21,630
to the last top 10 review a lot of this stuff you can go into these challenges and give it a try on

114
00:07:21,630 --> 00:07:28,170
your own just to kind of understand what they're wanting from these aspects and why broken authentication

115
00:07:28,500 --> 00:07:32,660
is bad and it's number two because it happens so so much.

116
00:07:32,850 --> 00:07:38,100
So from here we're going to move on to number three which is sensitive data exposure so catch you over

117
00:07:38,100 --> 00:07:38,990
in the next video.