1
00:00:00,990 --> 00:00:07,290
Let's cover yet another attack for broken authentication, and this one will be aimed at authorization

2
00:00:07,290 --> 00:00:08,189
within the page.

3
00:00:09,030 --> 00:00:14,400
To demonstrate this, we're going to go to a page called a WASP Web code.

4
00:00:15,180 --> 00:00:16,040
It's right here.

5
00:00:16,200 --> 00:00:24,060
Let's click on it, make sure that intercept is turned off and it'll open a window like this that will

6
00:00:24,060 --> 00:00:30,650
require us to login and remember this window because it will be important for us in this lecture.

7
00:00:31,350 --> 00:00:38,370
So we got this Pop-Up window and to log in, we can type guest and then password, also guest.

8
00:00:38,610 --> 00:00:41,010
So username and password guest.

9
00:00:41,370 --> 00:00:42,180
Click on OK.

10
00:00:43,190 --> 00:00:50,240
Let's not save the password and it will open a page like this from here, we want to start our web.

11
00:00:50,240 --> 00:00:50,600
Good.

12
00:00:51,780 --> 00:00:58,180
And let me just assume this in a little bit, and here we will have different attacks that we can perform.

13
00:00:58,530 --> 00:01:02,970
Of course, not all of these attacks have to do with broken authentication.

14
00:01:03,390 --> 00:01:05,960
Most of them actually are different vulnerabilities.

15
00:01:05,970 --> 00:01:09,960
But the attack that we are interested at the moment is authentication.

16
00:01:10,170 --> 00:01:10,710
Flosse.

17
00:01:11,400 --> 00:01:12,780
So click on that.

18
00:01:13,410 --> 00:01:16,800
And from here, we want to go to basic authentication.

19
00:01:18,150 --> 00:01:25,520
OK, it will open up task like this, so it says basically notification is used to protect silverside

20
00:01:25,530 --> 00:01:26,280
resources.

21
00:01:26,820 --> 00:01:32,700
The Web server will send up for one authentication request with the response for the requested resource.

22
00:01:33,270 --> 00:01:39,510
The client side browser will then prompt the user for a username and password using a browser supplied

23
00:01:39,510 --> 00:01:40,470
dialog box.

24
00:01:40,800 --> 00:01:45,210
And that is the dialog box that we saw once we logged into Web code.

25
00:01:45,870 --> 00:01:52,770
The browser will base64 encode the username and password and send those credentials back to the web

26
00:01:52,770 --> 00:01:53,130
server.

27
00:01:53,760 --> 00:01:58,890
The web server will then validate the credentials and return the requested resource.

28
00:01:59,220 --> 00:02:05,970
If the credentials are correct, these credentials are automatically present for each page protected

29
00:02:05,970 --> 00:02:10,660
with this mechanism without requiring the user to enter their credentials again.

30
00:02:11,430 --> 00:02:17,850
So essentially what this says is that our basic authentication credentials that we inputted wants to

31
00:02:17,850 --> 00:02:25,890
log into to our Web code will be processed to every page within the request without us having to log

32
00:02:25,890 --> 00:02:27,370
in every time we switch a page.

33
00:02:28,080 --> 00:02:32,010
But the problem here is that it's encoded with base64.

34
00:02:32,310 --> 00:02:36,960
So here we will have a vulnerability of weak encryption and weak encoding.

35
00:02:37,710 --> 00:02:40,770
Base64 is something that we can easily decode.

36
00:02:41,250 --> 00:02:44,270
So let's give it a try for this lesson.

37
00:02:44,280 --> 00:02:48,360
Your goal is to understand basic education and answer the questions below.

38
00:02:48,840 --> 00:02:54,120
What is the name of the authentication header and what is the decoded value for the authentication header?

39
00:02:55,010 --> 00:02:57,290
OK, let's go right here.

40
00:02:57,470 --> 00:03:01,220
Turn on the intercept and this is also rather simple example.

41
00:03:01,670 --> 00:03:09,140
If we go to our beheader, we get this field that's called authorization and it says basic and then

42
00:03:09,140 --> 00:03:10,270
some random letters.

43
00:03:11,150 --> 00:03:14,030
Now, we got our answer to our first question.

44
00:03:14,030 --> 00:03:21,170
Authorization is the answer to what is the name of authentication header so we can type it in authorization,

45
00:03:22,610 --> 00:03:25,910
even though it doesn't matter since we are in the middle of refreshing the page.

46
00:03:25,910 --> 00:03:32,270
But nonetheless, let's take a look at this more interesting part that says basic and then some random

47
00:03:32,450 --> 00:03:32,980
letters.

48
00:03:33,530 --> 00:03:41,180
Now, we already know that this is base64 and you can usually recognize base64 by this equals sign at

49
00:03:41,180 --> 00:03:43,060
the end right here.

50
00:03:43,070 --> 00:03:45,680
It also tells that its basic authentication.

51
00:03:45,710 --> 00:03:51,830
So what we can do if we were to, for example, intercept this request by using something like a man

52
00:03:51,830 --> 00:03:57,530
in the middle attack on a wireless network, and we were to get this request from some other user that's

53
00:03:57,530 --> 00:03:59,390
trying to visit a page within the Web code.

54
00:03:59,780 --> 00:04:05,330
We will be able to decode their username and password and then log in to their page.

55
00:04:05,630 --> 00:04:07,100
Let me show you how we can do that.

56
00:04:07,310 --> 00:04:10,010
We copied the value that's encoded right here.

57
00:04:12,650 --> 00:04:19,700
And then we go to something called Decoder here, you can turn off the intercept and navigate to the

58
00:04:19,700 --> 00:04:20,149
decoder.

59
00:04:20,630 --> 00:04:25,430
Now, the code is something that we didn't cover in the basics, but it's rather simple to use.

60
00:04:26,060 --> 00:04:33,370
All we have to do is paste right here what we've done to the code and let me see if I even copied it.

61
00:04:33,390 --> 00:04:37,870
OK, I copied it successfully and fight here on the right side.

62
00:04:37,880 --> 00:04:43,520
We want to click on the code as and we want to decode it as base64.

63
00:04:43,850 --> 00:04:44,900
Let's click on that.

64
00:04:45,960 --> 00:04:52,620
Well, here it is, here's our username and password in plain text, and that is all it took for us

65
00:04:52,620 --> 00:04:55,770
to get the username and password of a certain user.

66
00:04:56,310 --> 00:05:02,010
Now, of course, for us to be able to get this HTP request that we intercepted, as I mentioned, we

67
00:05:02,010 --> 00:05:04,710
would have to do something like man in the middle attack.

68
00:05:04,710 --> 00:05:06,620
But that's really easy to perform.

69
00:05:07,050 --> 00:05:13,680
The problem right here is that the page has a weak encoding and then we can easily reverse the encoded

70
00:05:13,680 --> 00:05:16,230
username and password back to the plaintext.

71
00:05:17,070 --> 00:05:23,280
And now we can copy this because this is the decoded value, since that is the answer to our second

72
00:05:23,280 --> 00:05:24,270
question on the page.

73
00:05:25,500 --> 00:05:31,350
And let's face it right here and submit, and it will tell us congratulations, you can figure out the

74
00:05:31,350 --> 00:05:33,490
mechanism of basic authentication.

75
00:05:34,260 --> 00:05:39,540
Now you must try to make Web code free, authenticate you as username basic, password basic.

76
00:05:39,660 --> 00:05:43,680
Use the basic authentication menu, start at the login page.

77
00:05:44,810 --> 00:05:51,110
Now, all we have to do right here is simply just to close the Web code and then we would re authenticate

78
00:05:51,110 --> 00:05:54,080
with basic and basic username and password.

79
00:05:54,110 --> 00:05:55,770
So this is something really easy to do.

80
00:05:55,790 --> 00:05:57,020
We're not going to cover that.

81
00:05:57,020 --> 00:06:04,520
Just next time at the login screen, you can use this username and password to enter a different account.

82
00:06:04,940 --> 00:06:11,210
And you can also try to intercept a request on a certain page and try to change the encoded value of

83
00:06:11,210 --> 00:06:17,180
basic and basic in the authorization header in order to switch the account that might work to you never

84
00:06:17,180 --> 00:06:17,420
know.

85
00:06:18,050 --> 00:06:19,230
OK, awesome.

86
00:06:19,880 --> 00:06:21,800
This was yet another simple example.

87
00:06:22,040 --> 00:06:28,700
And in the next video, we're going to take a look at the example of broken authentication once a user

88
00:06:28,700 --> 00:06:29,780
forgets a password.

89
00:06:30,390 --> 00:06:33,830
Nonetheless, thank you for watching and I will see you in the next lecture.