1
00:00:01,140 --> 00:00:01,890
Welcome back.

2
00:00:02,340 --> 00:00:10,230
Let's see a different example of broken notification attack, and to present this, we're going to be

3
00:00:10,230 --> 00:00:17,070
using a WASP Motyl day to so open up your Auvers machine, navigate to the metal data.

4
00:00:17,940 --> 00:00:25,940
And under here, we want to go to August 2013 and navigate to broken authentication and session management

5
00:00:26,790 --> 00:00:27,470
right here.

6
00:00:27,480 --> 00:00:32,720
We want to go to your ID bypass and let's go to bypass via cookies.

7
00:00:33,180 --> 00:00:34,080
Click on that.

8
00:00:34,800 --> 00:00:38,610
And this is the page that we want to, let's say hack.

9
00:00:39,060 --> 00:00:40,980
But let's read through this first.

10
00:00:41,760 --> 00:00:47,480
So some sites keep authentication and authorization tokens in the user agent field.

11
00:00:47,850 --> 00:00:52,230
This gives the user large amounts of control over these tokens.

12
00:00:54,100 --> 00:00:56,660
OK, but do we really need to read through all of this?

13
00:00:56,680 --> 00:01:02,950
It just tells us that some different tacks are possible, such as SQL injection, brute force and secret

14
00:01:02,950 --> 00:01:04,209
administrative pages.

15
00:01:05,290 --> 00:01:13,120
But let's read the name of our task again, so it's broken authentication, we want to bypass authentication

16
00:01:13,120 --> 00:01:15,370
and we want to do it via cookies.

17
00:01:16,450 --> 00:01:22,660
OK, to be able to do this, we need to have an account on this page, so let's create a simple account

18
00:01:22,660 --> 00:01:24,820
by going on log in and register.

19
00:01:25,800 --> 00:01:29,850
And we don't have an account, so let's register right here.

20
00:01:30,940 --> 00:01:38,980
We're going to type username, let's type username, test one and password, let's say test one, two,

21
00:01:38,980 --> 00:01:39,580
three, four.

22
00:01:40,000 --> 00:01:44,350
We will confirm the password and the signature is not needed.

23
00:01:44,360 --> 00:01:45,940
So let's just create an account.

24
00:01:46,750 --> 00:01:49,150
OK, it tells us account created.

25
00:01:50,280 --> 00:01:56,250
Now, let's go back and let's go on Log-in and let's log in with our accounts of the username was test

26
00:01:56,250 --> 00:01:59,280
one and the password was test one, two, three, four.

27
00:02:01,740 --> 00:02:09,840
OK, awesome, let's close this window and in the right corner, we should see logged in as user test

28
00:02:10,080 --> 00:02:10,440
one.

29
00:02:11,280 --> 00:02:18,870
Now let's go back to our page and try to bypass and switch the account by changing the value in the

30
00:02:18,870 --> 00:02:20,040
cookies field.

31
00:02:20,730 --> 00:02:27,010
So let's navigate or perhaps it turn on the intercept and let's try to refresh this page.

32
00:02:27,540 --> 00:02:30,090
Let's take a look at the request that we're trying to send.

33
00:02:30,630 --> 00:02:33,950
And if we go down, here is our cookie value.

34
00:02:34,770 --> 00:02:40,290
Now, we can see there are multiple fields to this cookie value, but there are two particular fields

35
00:02:40,290 --> 00:02:42,150
that should be of interest to us.

36
00:02:42,720 --> 00:02:44,880
We got the user name equals test one.

37
00:02:44,880 --> 00:02:48,300
We got user I.D., we got session ID.

38
00:02:48,840 --> 00:02:52,500
But these two right here do seem interesting to us the most.

39
00:02:53,280 --> 00:02:59,910
Let's try to change the user name from test one to, let's say, admin, because there is an admin account

40
00:02:59,910 --> 00:03:01,320
on the page.

41
00:03:01,800 --> 00:03:03,960
And if we forward this request.

42
00:03:05,110 --> 00:03:12,880
Hmm, nothing really happens, we're still logged in as user test one, so maybe we can't do it like

43
00:03:12,880 --> 00:03:13,240
that.

44
00:03:13,390 --> 00:03:16,260
Let's try with the user ID field first.

45
00:03:17,020 --> 00:03:23,380
So let's turn off the intercept, turn it on back again and let's refresh the page.

46
00:03:24,670 --> 00:03:31,710
Now we get the same request, we got the username test one, which is us, and we got the user ID apparently

47
00:03:31,720 --> 00:03:34,930
twenty five is the user I.D. of our test one account.

48
00:03:35,710 --> 00:03:38,710
Let's try changing that to one.

49
00:03:38,890 --> 00:03:43,720
For example, let's forward this go back to the page.

50
00:03:44,530 --> 00:03:50,380
And here it is, we managed to switch the account by changing the values inside of the cookie header.

51
00:03:50,740 --> 00:03:53,180
Now it says logged in as admin.

52
00:03:54,010 --> 00:03:55,660
Here is our account.

53
00:03:56,610 --> 00:04:02,820
And we can do that for any account that we want, if I refresh the page and change the user ID from

54
00:04:03,420 --> 00:04:10,610
twenty five to to forward now, we should get a different account logged in as Adrian.

55
00:04:11,430 --> 00:04:12,420
How cool is that?

56
00:04:12,720 --> 00:04:16,010
And this is a vulnerability in the session management.

57
00:04:16,019 --> 00:04:21,360
It allows us to switch the accounts by changing the user ID in the cookie field.

58
00:04:22,110 --> 00:04:24,060
So this was also a simple example.

59
00:04:24,330 --> 00:04:29,850
And in the next few lectures, we're also going to take a look at different approaches to broken authentication

60
00:04:29,850 --> 00:04:30,210
tech.