1
00:00:01,110 --> 00:00:01,890
Welcome back.

2
00:00:02,430 --> 00:00:05,939
Let's see another example of either vulnerability.

3
00:00:06,970 --> 00:00:13,120
So in the previous video, we saw a simple example of tampering with one parameter in order to change

4
00:00:13,300 --> 00:00:19,040
the user ID or in order to be able to see private information from a different user.

5
00:00:19,840 --> 00:00:24,120
Right now, let's see what examples can we get to number of USB BVA.

6
00:00:24,730 --> 00:00:29,970
So first thing or first example that I want to show you is on our ASP model data.

7
00:00:30,370 --> 00:00:31,600
So let's click on that.

8
00:00:32,549 --> 00:00:40,710
And here, as usual, under the OS 2013, we will have this vulnerability that says insecure, direct

9
00:00:40,710 --> 00:00:45,570
object reference or in other words, it's the either vulnerability.

10
00:00:46,550 --> 00:00:50,940
This is an example of a winnability that I showed you in the theory lecture.

11
00:00:51,050 --> 00:00:52,840
Now let's put it to practice.

12
00:00:53,390 --> 00:00:54,800
Let's go to any one of them.

13
00:00:54,830 --> 00:00:57,250
So, for example, let's go to source viewer.

14
00:00:58,040 --> 00:01:05,360
And in this simple page, we have a source file name to select and tells us to see the source of the

15
00:01:05,360 --> 00:01:07,670
file, choose and click view file.

16
00:01:08,210 --> 00:01:10,520
Note that not all files are listed.

17
00:01:10,880 --> 00:01:13,260
OK, so let's choose any one of them.

18
00:01:13,280 --> 00:01:15,590
For example, let's go with register dot.

19
00:01:16,730 --> 00:01:18,020
Click on View for.

20
00:01:19,340 --> 00:01:27,840
And it gives us the output of this before so pretty standard, but once again, remember from our teary

21
00:01:27,860 --> 00:01:35,300
lecture, we must ask ourselves the question, is this or are these files that we have in this list

22
00:01:35,720 --> 00:01:37,340
only files that we can read?

23
00:01:38,720 --> 00:01:44,930
Well, in this box, we can't really type any other file name, however, we can intercept this request

24
00:01:45,290 --> 00:01:47,720
with our suit and try to change the file.

25
00:01:48,380 --> 00:01:54,620
Let's go to our Burset, turn on the intercept and let's select any file whatsoever.

26
00:01:54,650 --> 00:01:58,870
Let's go pick it up and click on View File.

27
00:01:59,660 --> 00:02:07,730
So we intercept the request right here and down here in these parameters, we have the peafowl parameter

28
00:02:07,730 --> 00:02:14,990
that selects which page we want to, you know, since we can't really type it in right here, we're

29
00:02:14,990 --> 00:02:22,730
going to type it in inside of our first read log in that BHP and let's for example, type slash at sea

30
00:02:22,850 --> 00:02:25,310
slash pass w the.

31
00:02:26,630 --> 00:02:32,780
Let's see if this will work, if we forward this packet, turn off the intercept, go right here.

32
00:02:33,380 --> 00:02:35,060
Well, here it is.

33
00:02:35,660 --> 00:02:41,270
We have the output of the ATSE W.T. folder.

34
00:02:41,780 --> 00:02:45,220
And once again, that's the broken access control vulnerability.

35
00:02:45,470 --> 00:02:48,410
We got the output of a file that we shouldn't be able to see.

36
00:02:49,340 --> 00:02:53,520
Now, it same goes with this parameter right here in the page.

37
00:02:53,930 --> 00:02:57,800
This is simply just parameter that selects which task are we currently doing?

38
00:02:57,810 --> 00:03:04,100
So if we go to insecure direct object, you will see that page name is source viewer, and it probably

39
00:03:04,100 --> 00:03:07,820
has some people that processes this page.

40
00:03:08,390 --> 00:03:17,270
But we can also try to go and perform broken access control right here if we type Hatzis stability for

41
00:03:17,390 --> 00:03:18,210
this parameter.

42
00:03:18,950 --> 00:03:26,300
Well, we get another output and another broken access control vulnerability where it outputs once again

43
00:03:26,600 --> 00:03:28,060
the stability file.

44
00:03:28,880 --> 00:03:31,520
And it's the same with all the other examples.

45
00:03:31,540 --> 00:03:40,580
So, for example, if we go to cookies right here, we can inject our ETSI pass right here in this page.

46
00:03:43,580 --> 00:03:46,250
Oops, I misspelled Pasdar Boutique.

47
00:03:47,820 --> 00:03:51,980
And once again, here is the output of the ABC past, that would be.

48
00:03:53,330 --> 00:03:57,260
So this type of vulnerability is not that hard to perform.

49
00:03:57,500 --> 00:04:02,600
Of course, it might have some filters that might protect it to some extent.

50
00:04:02,600 --> 00:04:06,220
And those filters we are going to see in the next video with a different example.

51
00:04:06,710 --> 00:04:11,990
However, usually once you have this vulnerability, it will most likely not have any access control

52
00:04:12,200 --> 00:04:12,920
whatsoever.

53
00:04:12,970 --> 00:04:18,260
Therefore, you will be able to access different things that you shouldn't be able to see.

54
00:04:19,070 --> 00:04:19,980
OK, awesome.

55
00:04:20,600 --> 00:04:23,780
Thank you for watching this lecture and I will see you in the next lecture.