1
00:00:01,430 --> 00:00:08,570
So I've gone ahead and just pulled up these sensitive data exposure portion of the guide and you can

2
00:00:08,570 --> 00:00:16,190
see it's pretty much gaining access to confidential information unwanted information finding a backup

3
00:00:16,190 --> 00:00:18,260
file etc..

4
00:00:18,320 --> 00:00:22,670
And this all boils down to enumeration.

5
00:00:22,670 --> 00:00:28,250
Just like I said before a lot of this is enumeration or discovering you know discovering an item that

6
00:00:28,250 --> 00:00:30,220
should not be exposed.

7
00:00:30,230 --> 00:00:32,790
And that's what it does really what it is.

8
00:00:32,840 --> 00:00:41,630
So everything that I've given you so far in terms of tools and techniques is available to you to actually

9
00:00:42,140 --> 00:00:45,600
attack this and try to find things.

10
00:00:45,620 --> 00:00:53,900
The one thing that I can say is we'll walk through this just one here and if we did a quick door buster

11
00:00:54,050 --> 00:01:00,110
against this Web site we would find a directory on here called F T.P..

12
00:01:00,500 --> 00:01:09,170
And guess what FTB has a bunch of different files in here including backup files a Katie B X which is

13
00:01:09,170 --> 00:01:17,990
like a key storage database right for your passwords quarantine there's different kinds of malware stuff

14
00:01:17,990 --> 00:01:18,930
in here.

15
00:01:19,010 --> 00:01:25,240
So you know there's a lot of interesting things in here and this is just one of the data exposures but

16
00:01:25,240 --> 00:01:29,390
this is what I'm talking about like when I told you in the last video that I found a backup folder of

17
00:01:29,390 --> 00:01:31,910
literally the backup of the Web site.

18
00:01:31,910 --> 00:01:33,150
That happens.

19
00:01:33,200 --> 00:01:39,860
The other thing to point out is coming into here and you just need to dig into every single folder and

20
00:01:39,860 --> 00:01:42,030
read what's going on in the response.

21
00:01:42,350 --> 00:01:43,990
Every response is important.

22
00:01:44,000 --> 00:01:46,930
You have no idea what you're going to find.

23
00:01:47,960 --> 00:01:53,750
And just looking through here like you could search at the bottom something like password or you could

24
00:01:53,750 --> 00:01:56,740
search for key or keys.

25
00:01:56,750 --> 00:02:03,470
I always search for those and try to find anything related to keys and you know it just takes time to

26
00:02:03,470 --> 00:02:09,140
go through these and look through all the different responses and see what they're doing and especially

27
00:02:09,140 --> 00:02:13,940
javascript if you can get javascript to pull down with the response that's always good.

28
00:02:13,940 --> 00:02:16,880
And yeah that's I mean that's really it.

29
00:02:16,880 --> 00:02:22,700
So the one thing that we're missing here that I wish that we had back and so show you is this dashboard

30
00:02:22,760 --> 00:02:25,040
like I showed you with the active scanning.

31
00:02:25,040 --> 00:02:27,860
It also does this passively for us.

32
00:02:27,890 --> 00:02:33,530
So this is what's really nice about bird pro is it's good at finding what I call the low findings without

33
00:02:33,530 --> 00:02:35,650
doing much of anything.

34
00:02:35,690 --> 00:02:40,700
And one of those is something like Response Headers.

35
00:02:40,700 --> 00:02:43,220
Now these Response Headers are important.

36
00:02:43,700 --> 00:02:47,840
And it's also good at finding like you know looking at the cookies as well which we'll talk about that

37
00:02:47,840 --> 00:02:53,900
will get to cross-eyed scripting but the Response Headers are important because we can see what kind

38
00:02:53,900 --> 00:03:02,300
of protections they have here in these different protections are you know how we can defend against

39
00:03:02,360 --> 00:03:11,390
certain things and in the one of the defenses was something called H S T S which stands for H TTP strict

40
00:03:11,390 --> 00:03:13,010
transport security.

41
00:03:13,010 --> 00:03:21,290
Now that is a header that should be set in order to prevent an attack where we take secure data say

42
00:03:21,310 --> 00:03:28,700
h G.P.S. we strip it and it's called a protocol downgrade attack and we make it h TTP and then guess

43
00:03:28,700 --> 00:03:28,970
what.

44
00:03:29,000 --> 00:03:33,290
All of your encrypted data is now unencrypted.

45
00:03:33,290 --> 00:03:37,820
So there is a header out there that is called strict transport security.

46
00:03:37,820 --> 00:03:39,920
Guess what I'm not seeing it on here.

47
00:03:39,920 --> 00:03:44,300
You would say strict transport security because of that.

48
00:03:44,300 --> 00:03:52,820
That means that HST s is not enabled here and we could prevent or we could attack this Web site with

49
00:03:52,820 --> 00:03:54,330
a downgrade attack.

50
00:03:54,350 --> 00:03:56,330
Now that is a man in the middle type attack.

51
00:03:56,330 --> 00:04:02,120
It's not something that's necessarily easy but it's something that could be performed and is reportable

52
00:04:02,120 --> 00:04:05,530
to a client and a good Web site for this.

53
00:04:05,600 --> 00:04:09,800
If you're testing against something that's externally facing which we're not so we can't do this.

54
00:04:09,800 --> 00:04:17,660
But security headers dot Io or dot com works either one you just come in here and you scan a Web site

55
00:04:17,720 --> 00:04:23,860
and for example we can scan Tesla dot com and you can take a look and it gives you a report right away

56
00:04:23,870 --> 00:04:29,570
it's a C OK and it comes through here and says here's all the different headers which remember we looked

57
00:04:29,570 --> 00:04:35,570
at the headers and where we saw all the different weird Tesla headers this isn't really common but you

58
00:04:35,570 --> 00:04:41,660
come through here and it says hey look you're missing this header this header in this header and you

59
00:04:41,660 --> 00:04:42,970
have these headers here.

60
00:04:42,980 --> 00:04:47,750
Look here's district transport security header that we're talking about and you can come through here

61
00:04:47,750 --> 00:04:50,210
and see it like here it is in green they have it.

62
00:04:50,210 --> 00:04:51,380
That's good right.

63
00:04:51,380 --> 00:04:55,850
But they're still missing some headers down here so I always like to take screenshots of what they're

64
00:04:55,850 --> 00:05:00,740
missing so that way they have best practices and what they should be including.

65
00:05:00,740 --> 00:05:05,420
So this is just another way it's not necessarily sensitive data exposure with the secured headers but

66
00:05:05,420 --> 00:05:07,820
it is when we include the HST.

67
00:05:07,820 --> 00:05:08,060
Yes.

68
00:05:08,090 --> 00:05:13,160
So you should be considering and thinking about security headers as well when you're doing these sorts

69
00:05:13,250 --> 00:05:23,050
of searches one other thing to point out is that we should also be looking at the level of encryption

70
00:05:23,110 --> 00:05:24,220
on the Web site.

71
00:05:24,230 --> 00:05:26,910
Now there is a tool that we can use for that.

72
00:05:26,920 --> 00:05:28,220
And it's called and map.

73
00:05:28,240 --> 00:05:34,360
It's a great tool and we can use it to scan a Web site and see what level of encryption they are and

74
00:05:34,360 --> 00:05:36,100
get a rating or report back.

75
00:05:36,100 --> 00:05:38,220
So let's take a look at that.

76
00:05:38,230 --> 00:05:46,210
So what we're gonna do is I'm just going to a new tab here and again since we're not using HDTV s on

77
00:05:46,210 --> 00:05:48,360
this site it's not going to be relevant.

78
00:05:48,400 --> 00:05:53,440
So I'm going to scan this against Tesla but we're going to say something like and map.

79
00:05:53,440 --> 00:06:01,720
And then we can say script equals an SSL entomb cipher so we're looking at the ciphers and how strong

80
00:06:01,720 --> 00:06:02,830
their ciphers are.

81
00:06:02,950 --> 00:06:07,780
And we get to say Port forty three Tesla dot com something along those lines.

82
00:06:07,850 --> 00:06:08,670
OK.

83
00:06:08,980 --> 00:06:12,110
Hit enter and it should just take a second to come back depending.

84
00:06:12,130 --> 00:06:19,390
It's going to go out pull down all the SSL information and then drop down a list of information back

85
00:06:19,390 --> 00:06:27,700
to us then it's going to say hey you know it's gonna give it by grade like A B C D F and so go ahead

86
00:06:27,700 --> 00:06:29,380
and let this scan if it takes a second.

87
00:06:29,380 --> 00:06:33,310
Go ahead and just pause the video and then come back when you're done scanning

88
00:06:37,090 --> 00:06:37,390
OK.

89
00:06:37,400 --> 00:06:40,640
So we're back and you can see the least strength isn't a.

90
00:06:40,640 --> 00:06:41,960
This is fantastic.

91
00:06:41,960 --> 00:06:46,650
This means that Tesla goes in there and they really take care of business.

92
00:06:46,760 --> 00:06:52,100
If we were to see like an F or even a C we would probably report this.

93
00:06:52,100 --> 00:06:56,290
You know like if they have bad ciphers that's reportable again it's a low finding.

94
00:06:56,300 --> 00:07:00,710
But this has to deal with that sensitive data exposure.

95
00:07:00,740 --> 00:07:07,170
If we can attack a cipher and again this is a very complicated attack but if we can downgrade you know

96
00:07:07,190 --> 00:07:16,960
something like SSL or tell us whatever we can overcome you know the encryption and we can then then

97
00:07:16,970 --> 00:07:19,730
we can get the sensitive data exposed to us.

98
00:07:19,760 --> 00:07:21,770
So it's always good to check for this as well.

99
00:07:21,770 --> 00:07:26,300
These are just best practices kind of as we're going and we're mentioning these that we should be checking

100
00:07:26,300 --> 00:07:26,630
for.

101
00:07:26,660 --> 00:07:30,110
So I know this can be a lot and a little bit overwhelming.

102
00:07:30,110 --> 00:07:31,820
So please again take notes.

103
00:07:31,820 --> 00:07:32,930
I'm going to keep harping on this.

104
00:07:32,930 --> 00:07:38,680
Take notes re watch this if you need to re watch the entire web app portion if you need to.

105
00:07:39,200 --> 00:07:44,540
But make sure you're checking for security headers make sure you're checking for the SSL ciphers.

106
00:07:44,540 --> 00:07:49,730
This is two basic common checks that you're going to want especially when you're writing reports up

107
00:07:49,730 --> 00:07:51,190
against a client in a Web site.

108
00:07:51,680 --> 00:07:53,390
So that's it for this.

109
00:07:53,390 --> 00:07:58,970
Next we're gonna get into X email external entities which are incredibly fun and incredibly dangerous.

110
00:07:59,090 --> 00:08:00,940
So I'll get you over in the next video.