1 00:00:00,760 --> 00:00:08,620 OK, let's cover our first basic example of broken authentication, and for this, we're going to start 2 00:00:08,620 --> 00:00:10,210 off with try hacking platform. 3 00:00:10,780 --> 00:00:12,850 So make sure everything is started. 4 00:00:12,880 --> 00:00:21,430 You have your Burset, you have your VPN running, and make sure that you also get the IP address for 5 00:00:21,460 --> 00:00:22,120 the VPN. 6 00:00:23,180 --> 00:00:29,540 Once you do all of that, navigate to the tri Hackney platform and go as usual to our Web hacking fundamentals 7 00:00:29,690 --> 00:00:32,060 and navigate to our top 10 from. 8 00:00:33,790 --> 00:00:34,570 Here it is. 9 00:00:34,720 --> 00:00:35,880 Let's go right here. 10 00:00:37,120 --> 00:00:43,270 And we already know right here we got a bunch of different tasks, but for this lecture, we want to 11 00:00:43,270 --> 00:00:47,180 navigate to task number six and task number seven. 12 00:00:47,650 --> 00:00:53,920 Now, if you want to read about broken authentication a little bit, you can read through the task number 13 00:00:53,920 --> 00:00:59,530 six and then navigate to the practical part, which is task number seven. 14 00:00:59,950 --> 00:01:01,790 And this task is rather easy. 15 00:01:02,170 --> 00:01:06,600 So let's take a look and let's read what it asks from us. 16 00:01:07,180 --> 00:01:13,030 But before we read through this task, let's start our machine, because we already know that it takes 17 00:01:13,240 --> 00:01:16,510 about a minute or two in order for it to start properly. 18 00:01:17,230 --> 00:01:19,960 While it's starting, let's read through this task. 19 00:01:20,680 --> 00:01:25,300 For this example, we'll be looking at a logic flaw within the authentication mechanism. 20 00:01:25,870 --> 00:01:32,500 A lot of times what happens is that developers forgets to sanitize the input given by the user in the 21 00:01:32,500 --> 00:01:37,120 code of their application, which can make them vulnerable to the attacks like SQL injection. 22 00:01:37,880 --> 00:01:39,520 OK, we already knew that. 23 00:01:39,890 --> 00:01:41,680 Let's go all the way down. 24 00:01:41,680 --> 00:01:44,380 Let's understand this type with the help of an example. 25 00:01:44,620 --> 00:01:48,700 Say there is an existing user with the name admin, OK? 26 00:01:49,270 --> 00:01:51,630 And now we want to get access to their accounts. 27 00:01:51,650 --> 00:01:59,140 So what we can do is try to reregister that user name, but with a slight modification, we're going 28 00:01:59,140 --> 00:02:02,140 to enter space and then add. 29 00:02:03,230 --> 00:02:05,060 Notice the space in the starting. 30 00:02:05,260 --> 00:02:11,510 OK, now, when you enter that in the username field and enter other required information like email, 31 00:02:11,510 --> 00:02:17,000 ID or password and submit the data, it will actually register a new user. 32 00:02:17,000 --> 00:02:20,760 But that user will have the same rights as normal admin. 33 00:02:21,860 --> 00:02:24,000 That seems to be quite a bit of a problem. 34 00:02:24,800 --> 00:02:26,240 Let's continue reading. 35 00:02:26,840 --> 00:02:32,360 That new user will also be able to see all the content presented under the user admin. 36 00:02:33,290 --> 00:02:40,040 To see this in action, go to this link, so let's visit it straight away and let's go down just to 37 00:02:40,040 --> 00:02:47,490 read until the end and try to register a user named there, Darren, you'll see that user already exists. 38 00:02:47,510 --> 00:02:54,020 So then try to register a user space, Daryn, and you'll see that you are now logged in and will be 39 00:02:54,020 --> 00:02:59,720 able to see the content present only in their account, which in our case is the flag that you need 40 00:02:59,720 --> 00:03:00,320 to retrieve. 41 00:03:01,040 --> 00:03:02,230 Hmm, interesting. 42 00:03:02,630 --> 00:03:06,730 And first question is, what is the flag that you found in their account? 43 00:03:07,520 --> 00:03:08,990 So let's go and take a look. 44 00:03:09,860 --> 00:03:16,430 If we try to log in as they and by typing there and let's say test one, two, three, four and click 45 00:03:16,430 --> 00:03:17,180 on sign in. 46 00:03:18,200 --> 00:03:25,670 We get an error invalid username or password, so let's try to do what the tri Hackney example told 47 00:03:25,670 --> 00:03:28,990 us to do, which is to register a user with slight modification. 48 00:03:29,000 --> 00:03:34,730 So let's type space and then there make sure there is space for it here. 49 00:03:34,730 --> 00:03:36,140 Otherwise it will not work. 50 00:03:36,500 --> 00:03:39,820 And under the email, we can type any email that we want. 51 00:03:40,520 --> 00:03:48,440 I typed test at Gmail dot com, which is probably a non-existent email and password type test. 52 00:03:48,440 --> 00:03:49,880 One, two, three, four. 53 00:03:50,150 --> 00:03:52,100 And will register this user. 54 00:03:53,050 --> 00:03:55,360 OK, so we registered the user successfully. 55 00:03:55,640 --> 00:04:02,200 Now let's try to log in as that user and see whether we will be able to find the flag that should only 56 00:04:02,200 --> 00:04:04,940 be accessible from Darin's real account. 57 00:04:05,500 --> 00:04:06,790 So let's go right here. 58 00:04:07,420 --> 00:04:09,310 Type space and then Daryn. 59 00:04:10,580 --> 00:04:12,980 And test one, two, three, four. 60 00:04:13,920 --> 00:04:15,090 Let's click on Sign In. 61 00:04:16,010 --> 00:04:21,980 And here is the flag, so we successfully performed a broken out that the occasional attack where we 62 00:04:21,980 --> 00:04:27,230 registered the new user with slight modifications, such as adding space at the beginning of the name, 63 00:04:27,530 --> 00:04:33,380 and it allowed us to see the flag that should only be accessible from the real Berent user. 64 00:04:33,650 --> 00:04:37,190 And we would submit this flag right here under this question. 65 00:04:38,630 --> 00:04:44,330 OK, and the other question is try to do the same trick and see if you can log in as ARTA. 66 00:04:45,450 --> 00:04:50,800 So I assume the author account already exists, so pretty much we can do the same thing. 67 00:04:50,820 --> 00:04:57,690 We can go register ad space and then after and for the email, we can type once again anything that 68 00:04:57,690 --> 00:04:58,200 we want. 69 00:04:58,440 --> 00:05:02,330 I typed test to at Gmail dot com and password will be passed. 70 00:05:02,340 --> 00:05:03,750 One, two, three, four, five. 71 00:05:04,200 --> 00:05:06,680 Just to make it different then the difference account. 72 00:05:07,530 --> 00:05:08,820 Now lets go and lock. 73 00:05:09,030 --> 00:05:12,780 So ad space Arthur and test. 74 00:05:13,020 --> 00:05:14,550 One, two, three, four, five. 75 00:05:15,240 --> 00:05:19,620 Click on sign in and here we get the ATA's flag as well. 76 00:05:20,400 --> 00:05:25,890 So we pretty much perform the same thing for two different accounts for Theron's account and for ATA's 77 00:05:25,890 --> 00:05:26,400 account. 78 00:05:26,610 --> 00:05:32,580 And if this type of vulnerability was to exist in a real page, we would pretty much be able to access 79 00:05:32,580 --> 00:05:36,750 any account on that page just by knowing its username. 80 00:05:37,600 --> 00:05:42,640 We would then perform a slight modification register, a new user name, and we will be able to see 81 00:05:43,240 --> 00:05:45,580 all the things that original user can see. 82 00:05:46,750 --> 00:05:52,060 OK, but this was a rather simple example of broken authentication in the next video, we're going to 83 00:05:52,060 --> 00:05:59,230 go back to our overspeed W8 and try to take a look at a different broken authentication attack scene 84 00:05:59,230 --> 00:05:59,950 in the next lecture.