1
00:00:01,190 --> 00:00:01,910
Welcome back.

2
00:00:02,450 --> 00:00:08,340
Let's discuss another either example inside of our own SPW, a machine.

3
00:00:09,110 --> 00:00:15,230
So in the previous lecture, we took a look at the Idol challenge where we changed the file that we

4
00:00:15,230 --> 00:00:18,800
want to you to slash ETSI testability.

5
00:00:19,250 --> 00:00:24,510
And that way we displayed the file that we shouldn't have been able to access.

6
00:00:25,250 --> 00:00:31,160
Now let's take a look at the different type of either challenge inside of our B Web application.

7
00:00:31,520 --> 00:00:32,299
Click on that.

8
00:00:32,750 --> 00:00:39,850
And as usual, let's log in with our credentials, which are B and Bug and click on Log In.

9
00:00:40,640 --> 00:00:45,940
We have our current security levels set low and we are going to leave it on low for now.

10
00:00:45,950 --> 00:00:47,930
And let's choose our bug.

11
00:00:48,590 --> 00:00:52,430
So navigate to either challenges which are right here.

12
00:00:52,430 --> 00:00:59,570
And out of these three, we're going to go onto this one which says, Insecure door order tickets click

13
00:00:59,570 --> 00:01:00,230
on Hack.

14
00:01:01,160 --> 00:01:08,240
And it will lead us to this challenge, so it's a simple application, it asks how many movie tickets

15
00:01:08,240 --> 00:01:11,480
would you like to order, 15 euros per ticket.

16
00:01:12,020 --> 00:01:15,280
And here we can type in how many tickets we want to order.

17
00:01:15,290 --> 00:01:21,500
For example, if I want to order 10 of them and click and confirm, it will tell me that I have ordered

18
00:01:21,500 --> 00:01:28,220
10 movie tickets and that the total amount charged from your account is one hundred and fifty euro or

19
00:01:28,220 --> 00:01:30,980
simply 10 times 15 euro per ticket.

20
00:01:31,760 --> 00:01:37,520
OK, let's see whether we can manipulate this and perhaps change the price.

21
00:01:38,420 --> 00:01:42,650
So first thing that we are going to do is we are going to turn on our intercept.

22
00:01:43,130 --> 00:01:46,500
And here let's go with ten tickets.

23
00:01:46,520 --> 00:01:49,370
Once again, our click on Confirm.

24
00:01:50,150 --> 00:01:53,960
And this is the request that we get down here.

25
00:01:53,960 --> 00:01:58,640
We can see all of the parameters that are being submitted with this request.

26
00:01:59,180 --> 00:02:07,880
So we have the ticket quantity equals 10, we have ticket price equals 15, and the action equals to

27
00:02:07,880 --> 00:02:08,240
all.

28
00:02:09,410 --> 00:02:14,640
Now, this is a constant we know that the price of a ticket is 15.

29
00:02:15,230 --> 00:02:21,830
So perhaps with the either vulnerability, we can try to change the price of this ticket.

30
00:02:22,190 --> 00:02:23,400
So instead of 15.

31
00:02:23,900 --> 00:02:25,130
Let's just leave it on one.

32
00:02:26,140 --> 00:02:33,610
Let's make the price to be only one euro and let's see whether this will work if we forward this request,

33
00:02:33,610 --> 00:02:35,980
go back to our page.

34
00:02:36,910 --> 00:02:38,410
Well, here it is.

35
00:02:38,680 --> 00:02:46,840
It worked successfully, reordered 10 movie tickets and the total amount that was charged was ten euro.

36
00:02:47,620 --> 00:02:52,330
So we pretty much ordered 10 tickets for the price of one euro per ticket.

37
00:02:53,080 --> 00:02:57,180
Let's also see how this would look on medium security level.

38
00:02:57,580 --> 00:03:02,470
Let's click on Medium and let's click on set ups.

39
00:03:02,710 --> 00:03:05,390
We still have our intercept turned on.

40
00:03:05,410 --> 00:03:07,930
Let's turn it off and let's go back to page.

41
00:03:08,560 --> 00:03:12,680
And now let's see how our application is acting.

42
00:03:13,330 --> 00:03:18,370
So if we once again specify ten tickets and we click on Confirm.

43
00:03:19,650 --> 00:03:26,130
Well, it doesn't really appear that anything changes from the low security level, which we had previously,

44
00:03:26,490 --> 00:03:27,750
was to get the output.

45
00:03:27,750 --> 00:03:31,860
You ordered 10 movie tickets and the total amount charged is one hundred and fifty euro.

46
00:03:32,580 --> 00:03:37,910
But let's see, are there any differences in the HTP request once we intercepted.

47
00:03:38,460 --> 00:03:40,500
So let's turn on the intercept.

48
00:03:41,670 --> 00:03:49,710
Let's once again try to buy 10 tickets and let's confirm it, and this is our request, you will notice

49
00:03:49,710 --> 00:03:55,020
that we no longer have the ticket price parameter inside of our request.

50
00:03:56,250 --> 00:03:58,190
So how are we going to change the price?

51
00:03:59,190 --> 00:04:02,340
Well, we can take a look at this ticket quantity.

52
00:04:02,820 --> 00:04:07,620
The ticket underscore quantity is a parameter for how many tickets we want to buy.

53
00:04:07,980 --> 00:04:14,490
And we can assume that perhaps there could be a ticket underscore price parameter that could be set

54
00:04:14,730 --> 00:04:16,620
to the price of a single ticket.

55
00:04:17,220 --> 00:04:22,890
So maybe we can try to input it ourselves right here and see whether that would work.

56
00:04:23,520 --> 00:04:27,390
As we can see, these parameters are being separated by this sign.

57
00:04:27,930 --> 00:04:29,490
And let's give it a try.

58
00:04:29,850 --> 00:04:37,560
If we type that sign and then ticket underscore price equals one, let's try to set it to be equal to

59
00:04:37,560 --> 00:04:37,810
one.

60
00:04:38,280 --> 00:04:43,620
Let's see if us injecting the parameter manually will make any changes on the page.

61
00:04:44,250 --> 00:04:46,590
If we forward this go back.

62
00:04:47,190 --> 00:04:48,770
And there it is.

63
00:04:49,380 --> 00:04:51,630
We made this work successfully.

64
00:04:52,380 --> 00:04:56,910
We ordered ten movie tickets for the price of ten euro.

65
00:04:56,910 --> 00:05:00,750
And once again we managed to perform the either vulnerability on medium level.

66
00:05:01,980 --> 00:05:08,670
Now, on a high level, I believe all of these applications actually show the secure code, so I'm not

67
00:05:08,670 --> 00:05:11,450
sure if it's possible in high level, but let's give it a try.

68
00:05:12,210 --> 00:05:17,560
Let's confirm with one ticket and the price for one ticket is 15 euro.

69
00:05:18,180 --> 00:05:19,980
Now, if we intercept that.

70
00:05:23,370 --> 00:05:30,450
Well, we get pretty much the same response as from the previous medium security level, so if we tried

71
00:05:30,450 --> 00:05:38,490
the same thing, ticket price equals to one and we forward this, well, it won't really work.

72
00:05:39,470 --> 00:05:45,800
And this is because high level is usually a secure version of these applications, but we can always

73
00:05:45,800 --> 00:05:51,080
do something like this if we have intercept turned on and we go on confirm.

74
00:05:52,280 --> 00:06:02,660
What we can do is we can try something like this, so let's inject ticket price to be equal to one and

75
00:06:02,660 --> 00:06:05,840
let's change the security level to be equal to zero.

76
00:06:06,680 --> 00:06:08,090
Now, if we forward this.

77
00:06:09,470 --> 00:06:16,140
Well, now we once again changed the price to one, but we cheated a little bit.

78
00:06:16,190 --> 00:06:23,720
We exploited a different parameter inside of our request, which changes the security level.

79
00:06:24,290 --> 00:06:27,410
Nonetheless, this is another example of either challenge.

80
00:06:27,420 --> 00:06:32,660
And in the next lecture, we're going to take a look at a security misconfiguration vulnerability.