1
00:00:00,760 --> 00:00:08,620
OK, let's cover our first basic example of broken authentication, and for this, we're going to start

2
00:00:08,620 --> 00:00:10,210
off with try hacking platform.

3
00:00:10,780 --> 00:00:12,850
So make sure everything is started.

4
00:00:12,880 --> 00:00:21,430
You have your Burset, you have your VPN running, and make sure that you also get the IP address for

5
00:00:21,460 --> 00:00:22,120
the VPN.

6
00:00:23,180 --> 00:00:29,540
Once you do all of that, navigate to the tri Hackney platform and go as usual to our Web hacking fundamentals

7
00:00:29,690 --> 00:00:32,060
and navigate to our top 10 from.

8
00:00:33,790 --> 00:00:34,570
Here it is.

9
00:00:34,720 --> 00:00:35,880
Let's go right here.

10
00:00:37,120 --> 00:00:43,270
And we already know right here we got a bunch of different tasks, but for this lecture, we want to

11
00:00:43,270 --> 00:00:47,180
navigate to task number six and task number seven.

12
00:00:47,650 --> 00:00:53,920
Now, if you want to read about broken authentication a little bit, you can read through the task number

13
00:00:53,920 --> 00:00:59,530
six and then navigate to the practical part, which is task number seven.

14
00:00:59,950 --> 00:01:01,790
And this task is rather easy.

15
00:01:02,170 --> 00:01:06,600
So let's take a look and let's read what it asks from us.

16
00:01:07,180 --> 00:01:13,030
But before we read through this task, let's start our machine, because we already know that it takes

17
00:01:13,240 --> 00:01:16,510
about a minute or two in order for it to start properly.

18
00:01:17,230 --> 00:01:19,960
While it's starting, let's read through this task.

19
00:01:20,680 --> 00:01:25,300
For this example, we'll be looking at a logic flaw within the authentication mechanism.

20
00:01:25,870 --> 00:01:32,500
A lot of times what happens is that developers forgets to sanitize the input given by the user in the

21
00:01:32,500 --> 00:01:37,120
code of their application, which can make them vulnerable to the attacks like SQL injection.

22
00:01:37,880 --> 00:01:39,520
OK, we already knew that.

23
00:01:39,890 --> 00:01:41,680
Let's go all the way down.

24
00:01:41,680 --> 00:01:44,380
Let's understand this type with the help of an example.

25
00:01:44,620 --> 00:01:48,700
Say there is an existing user with the name admin, OK?

26
00:01:49,270 --> 00:01:51,630
And now we want to get access to their accounts.

27
00:01:51,650 --> 00:01:59,140
So what we can do is try to reregister that user name, but with a slight modification, we're going

28
00:01:59,140 --> 00:02:02,140
to enter space and then add.

29
00:02:03,230 --> 00:02:05,060
Notice the space in the starting.

30
00:02:05,260 --> 00:02:11,510
OK, now, when you enter that in the username field and enter other required information like email,

31
00:02:11,510 --> 00:02:17,000
ID or password and submit the data, it will actually register a new user.

32
00:02:17,000 --> 00:02:20,760
But that user will have the same rights as normal admin.

33
00:02:21,860 --> 00:02:24,000
That seems to be quite a bit of a problem.

34
00:02:24,800 --> 00:02:26,240
Let's continue reading.

35
00:02:26,840 --> 00:02:32,360
That new user will also be able to see all the content presented under the user admin.

36
00:02:33,290 --> 00:02:40,040
To see this in action, go to this link, so let's visit it straight away and let's go down just to

37
00:02:40,040 --> 00:02:47,490
read until the end and try to register a user named there, Darren, you'll see that user already exists.

38
00:02:47,510 --> 00:02:54,020
So then try to register a user space, Daryn, and you'll see that you are now logged in and will be

39
00:02:54,020 --> 00:02:59,720
able to see the content present only in their account, which in our case is the flag that you need

40
00:02:59,720 --> 00:03:00,320
to retrieve.

41
00:03:01,040 --> 00:03:02,230
Hmm, interesting.

42
00:03:02,630 --> 00:03:06,730
And first question is, what is the flag that you found in their account?

43
00:03:07,520 --> 00:03:08,990
So let's go and take a look.

44
00:03:09,860 --> 00:03:16,430
If we try to log in as they and by typing there and let's say test one, two, three, four and click

45
00:03:16,430 --> 00:03:17,180
on sign in.

46
00:03:18,200 --> 00:03:25,670
We get an error invalid username or password, so let's try to do what the tri Hackney example told

47
00:03:25,670 --> 00:03:28,990
us to do, which is to register a user with slight modification.

48
00:03:29,000 --> 00:03:34,730
So let's type space and then there make sure there is space for it here.

49
00:03:34,730 --> 00:03:36,140
Otherwise it will not work.

50
00:03:36,500 --> 00:03:39,820
And under the email, we can type any email that we want.

51
00:03:40,520 --> 00:03:48,440
I typed test at Gmail dot com, which is probably a non-existent email and password type test.

52
00:03:48,440 --> 00:03:49,880
One, two, three, four.

53
00:03:50,150 --> 00:03:52,100
And will register this user.

54
00:03:53,050 --> 00:03:55,360
OK, so we registered the user successfully.

55
00:03:55,640 --> 00:04:02,200
Now let's try to log in as that user and see whether we will be able to find the flag that should only

56
00:04:02,200 --> 00:04:04,940
be accessible from Darin's real account.

57
00:04:05,500 --> 00:04:06,790
So let's go right here.

58
00:04:07,420 --> 00:04:09,310
Type space and then Daryn.

59
00:04:10,580 --> 00:04:12,980
And test one, two, three, four.

60
00:04:13,920 --> 00:04:15,090
Let's click on Sign In.

61
00:04:16,010 --> 00:04:21,980
And here is the flag, so we successfully performed a broken out that the occasional attack where we

62
00:04:21,980 --> 00:04:27,230
registered the new user with slight modifications, such as adding space at the beginning of the name,

63
00:04:27,530 --> 00:04:33,380
and it allowed us to see the flag that should only be accessible from the real Berent user.

64
00:04:33,650 --> 00:04:37,190
And we would submit this flag right here under this question.

65
00:04:38,630 --> 00:04:44,330
OK, and the other question is try to do the same trick and see if you can log in as ARTA.

66
00:04:45,450 --> 00:04:50,800
So I assume the author account already exists, so pretty much we can do the same thing.

67
00:04:50,820 --> 00:04:57,690
We can go register ad space and then after and for the email, we can type once again anything that

68
00:04:57,690 --> 00:04:58,200
we want.

69
00:04:58,440 --> 00:05:02,330
I typed test to at Gmail dot com and password will be passed.

70
00:05:02,340 --> 00:05:03,750
One, two, three, four, five.

71
00:05:04,200 --> 00:05:06,680
Just to make it different then the difference account.

72
00:05:07,530 --> 00:05:08,820
Now lets go and lock.

73
00:05:09,030 --> 00:05:12,780
So ad space Arthur and test.

74
00:05:13,020 --> 00:05:14,550
One, two, three, four, five.

75
00:05:15,240 --> 00:05:19,620
Click on sign in and here we get the ATA's flag as well.

76
00:05:20,400 --> 00:05:25,890
So we pretty much perform the same thing for two different accounts for Theron's account and for ATA's

77
00:05:25,890 --> 00:05:26,400
account.

78
00:05:26,610 --> 00:05:32,580
And if this type of vulnerability was to exist in a real page, we would pretty much be able to access

79
00:05:32,580 --> 00:05:36,750
any account on that page just by knowing its username.

80
00:05:37,600 --> 00:05:42,640
We would then perform a slight modification register, a new user name, and we will be able to see

81
00:05:43,240 --> 00:05:45,580
all the things that original user can see.

82
00:05:46,750 --> 00:05:52,060
OK, but this was a rather simple example of broken authentication in the next video, we're going to

83
00:05:52,060 --> 00:05:59,230
go back to our overspeed W8 and try to take a look at a different broken authentication attack scene

84
00:05:59,230 --> 00:05:59,950
in the next lecture.