1
00:00:00,810 --> 00:00:08,490
OK, I want to quickly discuss what could possibly be the easiest vulnerability to exploit, there is

2
00:00:08,490 --> 00:00:16,260
something called sensitive data exposure, and it's exactly, as it says, its vulnerability that developers

3
00:00:16,260 --> 00:00:20,900
make by exposing some unwanted information in the Web page.

4
00:00:21,720 --> 00:00:28,050
Now, sensitive data exposure can be as something as trivial as showing the application version, but

5
00:00:28,050 --> 00:00:33,860
it can also be as something as big as exposing perhaps entire database in the Web application.

6
00:00:34,500 --> 00:00:39,710
And anyone with a little bit of knowledge is going to be able to access it if they want.

7
00:00:40,350 --> 00:00:42,840
So it can be a big vulnerability.

8
00:00:43,350 --> 00:00:48,030
Now, this type of data exposures don't occur that often.

9
00:00:48,030 --> 00:00:50,420
However, you will find them from time to time.

10
00:00:50,970 --> 00:00:58,560
Usually the data will be exposed in the source code itself from the Web page, perhaps multiple developers

11
00:00:58,560 --> 00:01:05,310
worked on the website and they left comments for each other in the code regarding some Web page details.

12
00:01:06,540 --> 00:01:09,780
But if you come across to something like this.

13
00:01:10,860 --> 00:01:17,790
Well, then there are two possibilities, either the developer didn't take a single look at the webpage

14
00:01:17,790 --> 00:01:26,190
before putting it online or it's made they are purposely as a honeypot and honeypot is something used

15
00:01:26,190 --> 00:01:27,130
to catch hackers.

16
00:01:27,540 --> 00:01:34,200
Nonetheless, it's most likely going to be the first thing that the developer forgot to remove his comments

17
00:01:34,200 --> 00:01:34,920
from the code.

18
00:01:35,460 --> 00:01:41,120
As we can see in this example, there is a comment that says, hey, I put the passwords file in sledged

19
00:01:41,170 --> 00:01:42,000
data directory.

20
00:01:42,720 --> 00:01:47,670
Now that could possibly be left for another developer that is going to take over the project.

21
00:01:48,330 --> 00:01:53,160
And maybe before they put out the entire website, they forgot to remove it altogether.

22
00:01:54,030 --> 00:02:00,870
Now, the plan of the attack is simple and it goes like this, we search through the code and through

23
00:02:00,870 --> 00:02:06,300
the Web page, if there is sensitive data exposure, we might find something useful, such as hidden

24
00:02:06,300 --> 00:02:09,900
directory or an admin page or perhaps a database.

25
00:02:10,590 --> 00:02:17,040
And we use that data to then gain access to things that shouldn't be out there for public to access.

26
00:02:18,000 --> 00:02:25,110
Let's see a simple example of this with our tri Hackney platform challenge, so right here I have navigated

27
00:02:25,200 --> 00:02:28,770
to my own challenge inside our try hackery platform.

28
00:02:29,280 --> 00:02:33,840
And under the task number eight, we have sensitive data exposure.

29
00:02:34,530 --> 00:02:36,600
Now, I have already set everything up.

30
00:02:36,780 --> 00:02:38,250
I have started my machine.

31
00:02:38,460 --> 00:02:44,160
Here is the IP address of the machine, if you want, before you do the challenge, feel free to read

32
00:02:44,160 --> 00:02:50,310
through all of this and make sure that you've read through other parts as well, because the sensitive

33
00:02:50,310 --> 00:02:52,920
data exposure has four parts.

34
00:02:52,920 --> 00:02:57,660
It has TASC eight, desk nine, Task 10 and Task 11.

35
00:02:58,260 --> 00:03:03,000
Now, under the task 11 are our challenges, which we are going to do right now.

36
00:03:04,140 --> 00:03:10,230
So, as it says, it's now time to put what you learned into practice and there's not much to do right

37
00:03:10,230 --> 00:03:16,080
here, we just want to copy the IP address and paste it right here.

38
00:03:19,660 --> 00:03:21,940
And it will load the page for our challenge.

39
00:03:23,010 --> 00:03:29,430
So we can already see that the page is simple, it has some text right here, an image, it has a login

40
00:03:29,430 --> 00:03:33,840
button and it has this button right here that says sense and sensitivity.

41
00:03:34,440 --> 00:03:38,190
We can click on all the buttons if would like just to see what happens.

42
00:03:38,190 --> 00:03:43,920
If we click on login button, it will lead us to this page where we need to specify username and password.

43
00:03:44,340 --> 00:03:51,690
And if we click on this, if we just go back to the main page, let's try to find sensitive data exposure.

44
00:03:52,980 --> 00:03:59,400
If we read through this text right here, we won't really see anything useful for us as well as on the

45
00:03:59,400 --> 00:04:05,370
page itself, we don't really see anything that could potentially give us some more detail than we should

46
00:04:05,370 --> 00:04:05,610
have.

47
00:04:05,760 --> 00:04:07,440
So let's take a look at the source code.

48
00:04:07,770 --> 00:04:10,140
We right click and go view page source.

49
00:04:11,280 --> 00:04:15,090
So we take a look at the code, it's just a simple code.

50
00:04:15,120 --> 00:04:21,540
We got some directories right here, slash login slash assets, and that would pretty much be about

51
00:04:21,540 --> 00:04:21,860
it.

52
00:04:21,870 --> 00:04:25,200
We don't get any comment whatsoever.

53
00:04:25,530 --> 00:04:29,960
No, we will want to visit these directories in order to see what files perhaps are there.

54
00:04:30,600 --> 00:04:36,900
But before we do that, let's also go to the login page and view page source on this page as well.

55
00:04:37,530 --> 00:04:43,890
And here we have one comment that says, must remember to do something better with the database, then

56
00:04:43,890 --> 00:04:47,600
store it in slash assets and remember slash assets.

57
00:04:47,610 --> 00:04:50,130
Is that the rectory that we saw from the first code?

58
00:04:50,700 --> 00:04:54,730
And it appears that they've stored the entire database in that directory.

59
00:04:54,780 --> 00:04:58,010
So if we can access it, we have sensitive data exposure.

60
00:04:58,410 --> 00:05:00,600
But of course, this is to the extreme part.

61
00:05:00,600 --> 00:05:05,120
You rarely see something like this happen, although it does happen sometimes.

62
00:05:05,550 --> 00:05:07,230
So let's go to the assets.

63
00:05:08,920 --> 00:05:09,190
OK.

64
00:05:14,120 --> 00:05:20,300
And here it is, we got all the regular files, such as JavaScript files, BHP files, the SS files,

65
00:05:20,540 --> 00:05:24,290
and we also have webapp DOT DB, which stands for database.

66
00:05:24,890 --> 00:05:28,850
We can download this file if we want to save it on our machine.

67
00:05:29,860 --> 00:05:34,840
And then we can go through their entire database in order to find out some information, perhaps about

68
00:05:34,840 --> 00:05:38,710
users, about their private data and other things as well.

69
00:05:38,860 --> 00:05:40,740
And we're going to do that right now.

70
00:05:40,990 --> 00:05:42,400
So let's open a terminal.

71
00:05:44,500 --> 00:05:50,290
Let's navigate to the download directory where we downloaded our Web app, Dot DB, and in order to

72
00:05:50,290 --> 00:05:58,780
navigate through this database, we can type the comment SQL Light three and then webapp DOT DB, which

73
00:05:58,780 --> 00:05:59,970
is the name of our database.

74
00:06:00,430 --> 00:06:06,690
We press enter and it will open this CircuLite interpreter where we can type in our ESKILD code.

75
00:06:07,480 --> 00:06:13,300
So first thing with this database, we want to see all of the tables that it has and we can do that

76
00:06:13,300 --> 00:06:16,180
by typing the comment dot and then tables.

77
00:06:17,080 --> 00:06:23,770
If we press enter, we get to output right here that says it has sessions, table and users table.

78
00:06:24,490 --> 00:06:29,040
We're more interested in this user's table since perhaps maybe there are passwords.

79
00:06:29,530 --> 00:06:36,610
So what we can do is we can run the ask your command to select everything from this table and the command

80
00:06:36,610 --> 00:06:41,800
would go like this select start and start simply stands for everything.

81
00:06:42,280 --> 00:06:51,160
And then from the end users, let's not forget the semicolon at the end and the free press enter.

82
00:06:52,060 --> 00:06:55,030
We get this output right here.

83
00:06:55,930 --> 00:07:02,090
Now, before we discuss this output, let's go back to our task and see what we need to submit.

84
00:07:02,590 --> 00:07:06,450
So the first thing that it asks us is what is the name of the mentioned directory?

85
00:07:06,940 --> 00:07:10,180
We can already specify the answer, which is assets.

86
00:07:10,330 --> 00:07:13,200
Submit that and it's the correct answer.

87
00:07:14,020 --> 00:07:19,870
It says navigate to the directory you found in question one, what file stands out as being likely to

88
00:07:19,870 --> 00:07:21,450
contain sensitive data?

89
00:07:22,240 --> 00:07:25,360
And in our case, that is webapp dot.

90
00:07:26,270 --> 00:07:32,160
Let's submit that as well and use the supporting material to access the sensitive data.

91
00:07:32,170 --> 00:07:33,130
We did it.

92
00:07:33,550 --> 00:07:37,300
And the question is, what is the password hash of the admin user?

93
00:07:38,300 --> 00:07:41,690
So could it be that these are the password hashes?

94
00:07:42,530 --> 00:07:44,450
Well, they most likely are.

95
00:07:44,600 --> 00:07:51,410
We are in the database and usually databases store passwords in hash value and not in plain text.

96
00:07:52,320 --> 00:07:58,570
So we can copy the hash and specify it to see whether it's the correct answer for the user admin.

97
00:07:59,010 --> 00:08:02,310
Let's go right here and paste the hash.

98
00:08:03,340 --> 00:08:05,840
And it's the correct one now with tasks.

99
00:08:06,070 --> 00:08:09,250
What is the plaintext password from this hash?

100
00:08:09,250 --> 00:08:10,730
So we must crack it first.

101
00:08:11,440 --> 00:08:14,050
We can do that with the help of an online website.

102
00:08:14,260 --> 00:08:17,770
We can navigate to a website like track station dot net.

103
00:08:20,200 --> 00:08:27,340
And here we can type in our hash, which hopefully will get cracked by this website down here, it says,

104
00:08:27,340 --> 00:08:29,800
which hash type's does it support?

105
00:08:30,070 --> 00:08:36,070
And they probably have a huge database with a bunch of plain text passwords that they run our hash against

106
00:08:36,280 --> 00:08:37,970
and see whether they found a match.

107
00:08:38,260 --> 00:08:40,080
So let's paste our hash right here.

108
00:08:40,750 --> 00:08:41,320
Let's click.

109
00:08:41,320 --> 00:08:42,190
I'm not a robot.

110
00:08:43,669 --> 00:08:45,980
Let's select all the bridges.

111
00:08:47,310 --> 00:08:47,980
Verify.

112
00:08:48,030 --> 00:08:50,460
And let's click on crack hashas.

113
00:08:51,790 --> 00:09:00,370
When we get the output, our hash is the type of m the five and in plaintext it is squirty you.

114
00:09:00,370 --> 00:09:02,080
I hope so.

115
00:09:02,100 --> 00:09:05,230
This is the password in plain text for the admin account.

116
00:09:06,040 --> 00:09:07,030
Let's call it.

117
00:09:08,500 --> 00:09:10,060
Go back to our page.

118
00:09:10,950 --> 00:09:16,230
And let's type admin and then the password that we just cracked.

119
00:09:18,740 --> 00:09:22,320
And here it is, we found the flag for our challenge.

120
00:09:22,340 --> 00:09:27,200
Now we can submit both the plaintext password and the flag right here.

121
00:09:28,790 --> 00:09:29,200
Awesome.

122
00:09:29,570 --> 00:09:35,210
So this was an example of sensitive data exposure, and we're not going to take a look at more examples

123
00:09:35,210 --> 00:09:38,960
because this is pretty much what it will always be.

124
00:09:39,260 --> 00:09:41,570
You search through the Web page and through the code.

125
00:09:41,840 --> 00:09:45,740
If you find something useful, you use it to gain access.

126
00:09:46,310 --> 00:09:51,140
If it's, of course, something as big as database exposure or password's exposure.

127
00:09:52,250 --> 00:09:56,780
In other words, this is not a technical vulnerability, it's strictly bound to developers making a

128
00:09:56,780 --> 00:09:59,980
mistake and leaving something out there for public to see.

129
00:10:00,680 --> 00:10:02,500
Nonetheless, thank you for watching.

130
00:10:02,510 --> 00:10:08,060
And in the next lecture, we're going to tackle another vulnerability type, which is called Broken

131
00:10:08,060 --> 00:10:10,400
Access Control, see in the next lecture.