1
00:00:00,090 --> 00:00:07,230
Before we dive into penetration testing I think it's super important to talk about the loss.

2
00:00:07,290 --> 00:00:13,120
Top 10 and to provide this checklist with a watch that we're gonna be using.

3
00:00:13,200 --> 00:00:16,280
And first of all let's just talk about a loss.

4
00:00:16,310 --> 00:00:20,700
So a loss stands for the open web application security project.

5
00:00:20,700 --> 00:00:24,650
This is the web app reference.

6
00:00:24,730 --> 00:00:25,470
1 0 1.

7
00:00:25,470 --> 00:00:26,780
I have no better way to put it.

8
00:00:26,820 --> 00:00:31,100
This is the go to place when it comes to web application penetration testing.

9
00:00:31,250 --> 00:00:32,040
It's a loss.

10
00:00:32,090 --> 00:00:37,290
And you're going to hear this all over the place especially when it comes to web application penetration

11
00:00:37,290 --> 00:00:41,370
testing and you're going to hear interview questions and all kinds of stuff related to this.

12
00:00:41,910 --> 00:00:46,560
So what I want you to do is I just want you to go out to Google and you know go to the lost Web site

13
00:00:47,040 --> 00:00:50,340
explore around see what's interesting here.

14
00:00:50,370 --> 00:00:55,430
The one thing I do want to point out is there is the top 10 and this is great.

15
00:00:55,440 --> 00:00:57,540
Right here we could open this a new tab.

16
00:00:57,540 --> 00:01:02,310
They also have this cheat cheat series that they're starting so you can go into here and say you're

17
00:01:02,310 --> 00:01:08,300
looking for specific cheat sheets you can look for cheat cheats on unlike say cross site scripting which

18
00:01:08,300 --> 00:01:13,200
we haven't gotten to any of this but it'll tell you hey like here's all the different ways that you

19
00:01:13,200 --> 00:01:16,610
can test for cross-eyed scripting here's different payloads.

20
00:01:16,740 --> 00:01:18,180
Here's how to attack.

21
00:01:18,180 --> 00:01:24,790
And it's really nice and they give you all different kinds of of ways to attack and you know we're going

22
00:01:24,790 --> 00:01:31,920
to be covering the top 10 in this course which here's the top 10 the top 10 being the what they consider

23
00:01:31,920 --> 00:01:40,320
the top 10 most popular weaknesses in a web application and what a any company or organization should

24
00:01:40,320 --> 00:01:41,730
be aware of.

25
00:01:41,760 --> 00:01:49,110
So these change from year to year right now there are in the 2017 version of it and you could just click

26
00:01:49,110 --> 00:01:54,070
on this here and kind of get an idea of what some of the top 10 are.

27
00:01:54,390 --> 00:02:00,370
Now there are at least over 100 different ways to exploit a Web site.

28
00:02:00,420 --> 00:02:03,030
Probably way way above that.

29
00:02:03,090 --> 00:02:04,690
OK.

30
00:02:04,740 --> 00:02:08,490
And there's all different kinds of vulnerabilities that you could check for the top 10 are considered

31
00:02:08,490 --> 00:02:10,360
the most critical.

32
00:02:10,470 --> 00:02:13,950
Now these are what your employer.

33
00:02:13,950 --> 00:02:18,930
Potential employer are probably going to interview you on these 10 topics.

34
00:02:18,930 --> 00:02:21,720
And it's important to know what they are.

35
00:02:21,780 --> 00:02:26,400
You don't have to like know specifically one through ten have it memorized.

36
00:02:26,400 --> 00:02:27,240
It doesn't hurt.

37
00:02:27,900 --> 00:02:30,690
Sometimes like in an interview I've been asked OK.

38
00:02:30,710 --> 00:02:34,710
You know what is the number one on the top 10.

39
00:02:34,710 --> 00:02:37,260
And you should know it's injection.

40
00:02:37,260 --> 00:02:41,900
But I couldn't tell you that security in this configuration was number six for example.

41
00:02:42,090 --> 00:02:46,290
But you know you might have some of those trivia questions but more than likely what they're going to

42
00:02:46,290 --> 00:02:50,520
ask you is what is an X AML external entity.

43
00:02:50,520 --> 00:02:52,840
How would you go about exploiting that.

44
00:02:52,860 --> 00:02:53,230
OK.

45
00:02:53,240 --> 00:02:54,090
You've exploited it.

46
00:02:54,120 --> 00:02:55,770
Now how would you go about defending that.

47
00:02:55,770 --> 00:03:00,090
How could you instruct a client to defend against this.

48
00:03:00,120 --> 00:03:07,590
And in my experience being able to talk to developers is one of the hardest things especially if you're

49
00:03:07,590 --> 00:03:08,990
not a developer.

50
00:03:09,480 --> 00:03:14,010
Previously I was not a developer I don't come from a development background.

51
00:03:14,010 --> 00:03:20,670
So when you're doing a web app assessment you have to imagine the situation that you're in you are attacking

52
00:03:21,210 --> 00:03:26,600
a Web site or web application that has been developed by people and then you have to go face to face

53
00:03:26,600 --> 00:03:31,140
of those people and tell them what's wrong with their Web site or what's wrong with their web application

54
00:03:31,590 --> 00:03:34,610
and they can become defensive.

55
00:03:34,680 --> 00:03:40,830
And it's very easy to you know you're beating up their baby it's it's their pride and joy of.

56
00:03:40,830 --> 00:03:46,650
And they nobody wants to be told that they've left flaws in an application or anything.

57
00:03:46,650 --> 00:03:53,400
So sometimes it can get combative not to scare anybody away but just to prepare you for those situations.

58
00:03:53,850 --> 00:04:01,020
So having a good understanding of what you are exploiting and why it's vulnerable and also how to fix

59
00:04:01,020 --> 00:04:05,670
it is super important because that way you can relay that to the dev and the better that you are talking

60
00:04:05,670 --> 00:04:10,920
about it the more respect you're going to get in a room and the less likely that there's going to be

61
00:04:10,920 --> 00:04:15,510
combativeness because you're gonna be able to hold your own against people that are developers.

62
00:04:16,050 --> 00:04:21,390
So with that being all of the way we're going to be covering these top 10 here and if you want you can

63
00:04:21,390 --> 00:04:26,670
scroll through this and just read through the different top 10 it has them here and how it's changed

64
00:04:26,670 --> 00:04:32,550
between you know 2013 2017 and come right through and it gives you a high level overview of all the

65
00:04:32,550 --> 00:04:37,560
different types of flaws and you can come right to injection here and it talks about the different types

66
00:04:37,560 --> 00:04:41,760
of injection how to prevent it you know is it vulnerable.

67
00:04:41,760 --> 00:04:44,310
And then it gives you all different kinds of references.

68
00:04:44,310 --> 00:04:47,870
Here's all the different types of cheat sheets that are available to you.

69
00:04:48,510 --> 00:04:53,430
And just these CW ease as well which are just another thing to look at Port swingers another thing to

70
00:04:53,430 --> 00:04:54,520
look at as well.

71
00:04:54,680 --> 00:04:56,760
There's all different kinds of things here.

72
00:04:56,790 --> 00:04:58,510
Example scenarios.

73
00:04:58,590 --> 00:05:03,720
So this is very very well laid out and it's just a fantastic resource for anybody looking to get into

74
00:05:03,720 --> 00:05:07,230
web application testing web apps are overwhelming.

75
00:05:07,230 --> 00:05:12,210
But the more you read up the more you study the more you just keep into the times the better off you're

76
00:05:12,210 --> 00:05:13,320
going to be.

77
00:05:13,320 --> 00:05:20,330
So with that all being said let's go to Google one more time or two more times here and what I want

78
00:05:20,330 --> 00:05:23,070
you to download is this a last checklist.

79
00:05:23,090 --> 00:05:25,070
So go just google a last checklist.

80
00:05:25,070 --> 00:05:29,120
Get hub and this tan profit in here.

81
00:05:29,160 --> 00:05:30,290
This first one that comes up.

82
00:05:30,290 --> 00:05:34,200
You can just click on this and you should be looking for an Excel sheet.

83
00:05:34,200 --> 00:05:36,690
And let me bring that up on my end.

84
00:05:36,690 --> 00:05:43,920
So this excel sheet I have witnessed firsthand hand save an assessment and I'll explain that here in

85
00:05:43,920 --> 00:05:47,580
a second but here you have a checklist.

86
00:05:47,580 --> 00:05:53,760
And if you scroll through it there are one hundred and twenty four different things to test for.

87
00:05:53,760 --> 00:05:59,300
And this is what they consider you know you need to test for when you're testing a web application and

88
00:05:59,300 --> 00:06:00,990
what's nice is it says Hey what are you doing.

89
00:06:00,990 --> 00:06:03,380
Well we know where we start with information gathering.

90
00:06:03,540 --> 00:06:07,030
So we're going to conduct search engine discovery right.

91
00:06:07,110 --> 00:06:11,930
Going way back to what we were doing with information gathering in the beginning of this series.

92
00:06:11,940 --> 00:06:13,050
That makes sense.

93
00:06:13,050 --> 00:06:18,930
And it says Hey Google hacking you can use tools like site Digger show dad etc. and then you have a

94
00:06:18,930 --> 00:06:24,530
checklist you could say yeah I did this it has no issues or it has issues or not applicable.

95
00:06:25,290 --> 00:06:26,970
And it tells you a description.

96
00:06:26,970 --> 00:06:28,230
That's great.

97
00:06:28,230 --> 00:06:29,180
Part two of this.

98
00:06:29,180 --> 00:06:30,380
That's actually fantastic.

99
00:06:30,380 --> 00:06:37,170
Two is if you come over and you go to Google one more time and you say a last checklist PDA f the first

100
00:06:37,170 --> 00:06:41,880
thing that comes up is this a last testing guy and I'll provide links to both of these in the description

101
00:06:42,270 --> 00:06:49,900
are the references section but if you click on this and you see here I was chasing guy 4.0.

102
00:06:49,950 --> 00:06:52,980
Now you can scroll through this and it might take just a little bit.

103
00:06:52,980 --> 00:06:58,600
I'm going to try to cheat a little bit and scroll down and what happens is eventually you're gonna come

104
00:06:58,860 --> 00:07:05,930
run into the same checklist area so you're going to run into info dash 0 0 1.

105
00:07:05,940 --> 00:07:07,710
I believe it starts starts at three.

106
00:07:07,710 --> 00:07:09,810
Chapter Three here.

107
00:07:09,840 --> 00:07:12,270
So it covers the framework or actually chapter four.

108
00:07:12,270 --> 00:07:13,840
I apologize.

109
00:07:13,860 --> 00:07:22,500
And you come through here and you have t 0 0 1 and this is on page 30 so 0 0 0 1.

110
00:07:22,510 --> 00:07:26,920
If we go back to our excel you could see OTB 0 0 1.

111
00:07:26,940 --> 00:07:27,350
OK.

112
00:07:28,080 --> 00:07:32,910
And what's nice about the PD F is it says hey here's what you're looking for.

113
00:07:32,910 --> 00:07:39,000
Here's the test objectives here's how you test it and it gives you all different tools examples etc.

114
00:07:39,030 --> 00:07:40,930
what you can be looking for in here.

115
00:07:41,160 --> 00:07:44,880
And then it goes into 0 0 2 and goes right through it.

116
00:07:45,000 --> 00:07:51,260
When I first started out pen testing against web apps and still to this day I used a little bit less.

117
00:07:51,320 --> 00:07:52,650
I still use it.

118
00:07:52,650 --> 00:07:58,870
I use this PPF like you know I went literally line by line on this.

119
00:07:58,920 --> 00:08:04,950
I use the PD F and I tested for every single thing in here so I left no stone unturned and that's kind

120
00:08:04,950 --> 00:08:08,640
of the story time I want to get into your quick and why having a checklist is important and then we'll

121
00:08:08,640 --> 00:08:09,510
wrap up the video.

122
00:08:10,170 --> 00:08:19,440
So this checklist one time I was sitting with a very much senior web app Tester a brilliant guy you

123
00:08:19,440 --> 00:08:27,190
know I would trust him to test a web app and what had happened is we had been testing this Web site

124
00:08:27,280 --> 00:08:32,470
this whole time and testing this Web site and we weren't really finding anything you know but we weren't

125
00:08:32,650 --> 00:08:33,970
also we weren't using a checklist.

126
00:08:33,970 --> 00:08:39,970
We're just kind of going off methodology from his head and you know just testing the application as

127
00:08:39,970 --> 00:08:46,600
he saw it and he was like you know the last thing I do in an assessment is I go back and I go through

128
00:08:46,600 --> 00:08:49,660
the checklist and I check the boxes and I say yes I do this.

129
00:08:49,660 --> 00:08:50,950
No I didn't.

130
00:08:50,980 --> 00:08:56,500
And while we were scrolling through the list and then there came up something about you know checking

131
00:08:56,500 --> 00:09:02,110
on the account creation parameters or assigning parameters and there was something I was going to use

132
00:09:02,110 --> 00:09:03,090
this to type in here.

133
00:09:03,190 --> 00:09:09,300
There was something when you were creating an account that said admin equals false.

134
00:09:09,370 --> 00:09:14,870
So what if you were intercept your requests and change it to add on equals true.

135
00:09:14,920 --> 00:09:15,580
Well guess what.

136
00:09:15,580 --> 00:09:18,910
It made the account an admin when you registered.

137
00:09:18,910 --> 00:09:25,690
Now had he not checked the checklist he would have just let this mentally lapse it didn't mean that

138
00:09:25,690 --> 00:09:29,600
he didn't know how to test for this or what he was looking for.

139
00:09:29,680 --> 00:09:34,780
It just means that the testing here is overwhelming again is one hundred and twenty something of these

140
00:09:34,780 --> 00:09:38,830
to look for you know you're bound to forget about one or two.

141
00:09:38,830 --> 00:09:39,910
It's just human nature.

142
00:09:39,910 --> 00:09:42,610
You know most people are not really capable of memorizing this.

143
00:09:42,880 --> 00:09:45,400
So please utilize a checklist in your testing.

144
00:09:45,400 --> 00:09:51,040
It's it's so useful you have all these resources available to you and you should take advantage of them

145
00:09:51,040 --> 00:09:51,520
fully.

146
00:09:52,330 --> 00:09:54,460
So that's my spiel on this.

147
00:09:54,460 --> 00:09:55,560
Again I use this.

148
00:09:55,570 --> 00:10:01,630
I give this to a client every time I have my notes in here and I'll I'll make the notation that way

149
00:10:01,660 --> 00:10:07,150
when we go back we can reference anything or any questions they might have when it comes down to what

150
00:10:07,150 --> 00:10:09,520
I looked at and what I saw and what I didn't see.

151
00:10:10,180 --> 00:10:17,320
So from here we're gonna go ahead and do some installs to get our setup ready and we're going to start

152
00:10:17,320 --> 00:10:22,450
talking about birth sleep more in depth after that and start working through the top 10.

153
00:10:23,110 --> 00:10:25,180
So let's go ahead and move on to the next video.