LIVE: Web Hacking | Pentesting | AppSec | Cybersecurity | AMA

The Cyber Mentor · Beginner ·🔐 Cybersecurity ·11mo ago

Key Takeaways

The video covers web hacking, pentesting, and cybersecurity, with a focus on web application security and bug bounty hunting, using tools such as Python and various hacking frameworks

Full Transcript

What's up everybody? Hopefully you can hear me. Okay. Um, I'm not sure if I tested the sound before I started, but you know, nothing like doing live testing. How you all doing today? We've got a cool web app uh to break today. Couple of different things to look at. So, we'll do a tiny bit of code review and we'll brute force a session token. And then we're gonna do serverside cross- site scripting. And yes, I didn't mis say that serverside cross- sight scripting because I saw a talk on it recently. I'll share some uh details in the chat soon when we get to it. But uh but all good. How are we all doing today? Um before we dive into some questions, um what's up Zen? You got the first first comment. Good job. Fast. Arubius has been slow recently. So uh so you've taken the uh the number one step. Um we do have like some new live web app training uh coming up in August. Uh so I'm building a ton of labs and and new content for it. Um basically instead of um kind of following the more traditional approach, I'm like throwing everything into more like a modern web applications first approach. So we'll be like dissecting um like microservices and JSON and understanding how attacks work like in context rather than like looking at a very specific attack in an old PHP web app and then being like this is how it works and then have fun doing bug bouncy. It's more like uh we're going to look at things like in a much more um like I say like more more modern web apps and everything is going to be a little bit more uh up to date. So so that's what I'm working on at the moment. Um, so it's all busy busy. Uh, I've been writing a lot of code recently. So, let's let's put it that way. Um, how you all doing today? Let me It's quiet here at the moment. Um, because the cats are in the catery. Um, I'm away this weekend. Got some weddings to do and stuff. So, they're they're there and they're just chilling, having a good time at their holiday home. Um, but I I don't know if it's going to happen or not. So, don't don't hate on me if it doesn't happen. The catery that we use had uh it's really really sad. Had a cat and all of her kittens like dumped outside and uh obviously somebody's just come up and been like just left them there all night. So, we might be adopting um a few more kittens. if they can't rehome them by Monday. I think when I go to pick up Elfie and Poppy, I will be coming home with more cats than than we had last week. So, um we'll see. If they will get rehomed, great. I I told them if they if they're struggling to rehome them, then um then we'd probably take them. So, uh so we'll see. I'm really excited. Uh more cats, more chaos. Uh it's all good. And actually what I suspect is all the kittens are quite easy to rehome because everyone's like, "Ah, yeah, kittens." But the mother might um they might not be able to find a home for her. So we might um we'll take her, of course, if she's still there. And and yeah, we'll see. Um all right, let me scroll down. Also, heads up. So I'm definitely going to Defcon. Uh my visa was accepted. Not that the visa process is that difficult from the UK to the US, but you know, every time I do it, I'm always like, "Hm, maybe they're going to reject me. Um, if you're at Defcon, you know, feel free to reach out. Um, happy to grab coffee, pizza, beer, whatever your jam might be. Um, just just let me know. Um, I have I do have like some things already scheduled in, but um, I'll be there. I'll be around. It's uh, it's a nice long weekend. So, let me know if you're if you're coming. Oh, are my cats indoor only? Yes, I have indoor cats uh, for a couple of reasons. Um, one the ginger one, Elfie. Uh, so when we adopted her, she she just came like she was really young. We think uh she either lost or separated from from her mother and so she has no social skills and she's really aggressive to other cats and so it's not really fair. I've done a lot of training with her even like you know I've got scars from training this cat. Um it's not fair on the other neighborhoods uh cats for one and two they're terrible on the road. Uh, and we have quite a busy main road out front, but even though they're indoor, they have a catio, so they do have outdoor space. They can go out there, uh, watch the birds. Uh, Poppy actually caught a bird the other day because it flew into the catio. And, uh, my god, she was like parading it around the house, rubbing herself against every wall. She was so happy with herself. But there you go. Yeah, we have we have indoor cats. I would love to let them outdoors more, but um, uh, it's just not safe for them around here. And it's not fair for for the other cats unfortunately. But I do take them out in the garden every so often on the lead though. So they they do get outdoor time. What's up Andrew? I feel like it's been a while since uh since we managed to catch up. So if you're at Defcon, let's definitely uh definitely catch up. Um I we haven't chatted on Discord in ages. So um so it'll be that will be a great thing to organize. Um. Ooh. Yeah, that's Wait, where is it? This one is a whale shark. And of course, the octopus as well. I I mean, they're kind of like out of out of focus, so you can't really see them, but um they're just uh if you know the service display, they're from there. They're quite nice for for my office, I think. So, we're all all kids. Um all right, let me I'm just scrolling down the chat at the moment. Let me just pop into um into the pins questions. Oh, hi. What's up, Mary Ellen? How you doing? I have to pick this one up because it's Mary Ellen, of course, one of our VIPs. Um, how did a bird get into the catio? So, it's got like a mesh on it that's like 1 in by 1 in maybe. And it was kind of like a small ah it kind of looks like a robin, but it it wasn't. It had like a bit of green on the side. I'm not sure what bird it was. We have loads and loads of stings. It was way too small to be a starling. Um but yeah, I think it it basically came in like snuck through and then was was was you know, it was obviously quite a young bird unfortunately. It's um you know obviously like I wouldn't get birds and like put them in there, but it's and it's kind of sad that the bird got eaten, but also it's just part of life, isn't it? You know, cats eat birds. That's that's how the world is. So, um, all right, let me check out some questions. Guide for ABSSEAC and road map. We have a YouTube video on this. I think uh earlier in the year, maybe February, we did like a a road map. Um, so definitely check that out. I do go over like more detailed road maps in my live training, but I think the biggest thing is if you're just starting out, do a course and stick to it. What whatever course you decide to do, like stick with it because it gives you like really good um like base of knowledge to like build on top of. If you just kind of like watch random YouTube videos and go here and there, you'll pick up lots of different things, but you won't really know how they connect together. So getting like a base methodology is really, really important. And then building on top of that is really really important. And then I think there are other a few other key things. So first definitely build a web app like spend a little bit of time not loads of time like you know two hours or something build a web app. follow Traversy Media or or something or one of um Code with Marsh or something and build something and then from there, you know, either start working through like the TCM courses or start working through Portzswiger Academy um and really kind of like build your your your knowledge base and I think with that that puts you off to a really good start and then from there you can start you know looking for jobs and going deeper into certain things uh specializing whatever it might Um could we explain about RS 256 JWT token how to exploit it? So the way usually if a token is signed um and you see the algorithm RS 256 you probably want to try and find the private key. Uh so generally speaking like there are other tricks you can do. So if it's vulnerable to for example um when you add uh a different key as part of the header and then it doesn't validate that and then it uses a different key to validate the token you can do like um key confusion basically. Um, so there are there are different ways to do it, but generally speaking, if you see RS 256 instead of like HSA and it's not like a uh uh something that you're trying to crack, you need you need to be finding the either find the private key or you need to use some other exploit technique if that makes sense. I think those are like the two the two main um routes. Um all right, let me keep scrolling down. [Music] You're my instructor from the PH course. Yeah. Yeah, I do the web app section in the PH course. Um, yeah, that's me. What up, all good? Um, ah, so this is the 15 hour YouTube video I think you're talking about. I think it it like it's a really good starting point for sure. It covers loads of fundamental stuff. Um, so yeah, if you're a complete beginner, do the 15 hour course. Um, you'll be like you'll learn so much stuff and there's always more to learn, right? It never ends, but it's going to put you like in the right path. It's going to give you loads of fundamental skills that you can then build on and you can take on either more advanced courses, you can start doing try hackme, hack the box, CTFs, uh, and things like this. So, it kind of like sets you up um in the beginning if that makes sense. Um, Let me keep scrolling down. Which programming language should be a good choice to learn for network web pesting? I think like a lot of people hate on it, but Python's probably your best bet. It's, you know, widely used, easy to spin up. Um, in fact, um, I've written a script in Python that we'll look at in a little bit to brute force some tokens. So yeah, it's uh I would say Python's probably your number one. Like if you're specializing in web app pen testing, I think JavaScript is really really important for sure. But I think like as a general skill for uh penetration testing, uh Python's probably probably your best bet. Bit of bash goes a long way as well. Um all right, let me keep scrolling down. Oh, is Portswig really uh really good? Yeah, I think it's like um kind of like a staple. I think a lot of the labs are really good. A lot of the attacks are really really important. Um there's nothing in there that like if you're a professional web app pentester, there's probably nothing in there that should surprise you too much. Like it's really, you know, a lot of good solid stuff. So for sure. Oh, this is good to hear. PWP is a wonderful exam. Yeah, thanks. That's really really good. Hey, it took a quite a lot of work. A lot of time building, researching, balancing, beta testing. Um, yeah. Yeah, I'm glad it's out there, which is which is cool. All right, let me keep scrolling down. Um, I'm going to hop back to the chat. There's still loads of questions in there. I can see 25 pinned already. I've probably answered about 10 or 15, but um, let me catch up with how you guys are doing. What's everybody talking about apart from uh apart from uh this? Oh, can I explain this command? This looks like um shellshock. Is it shellshock? I don't know. If you go to explainshell.com, paste it in. Let me see what um Oh, no. I can't I can't copy and paste from the chat. That's really annoying because I'm on reream. But maybe try and explain shell. But it No, it's not. It's not shell shock, is it? because that would be trying to vaguely remember the syntax. I would have to Google. I don't know. My bash skills aren't that good. So, um let's see. Scroll down a little bit more. All right, I'll switch back to the questions. I can't We're 20 minutes in already almost. Um, so we'll start the box in like five minutes and then we're and then we'll we'll keep going. Chat is wild today. I love to see it. So many good questions. Um, have I used Rust for pentesting? No, not personally. Like I I've seen Rust scripts and and tweaked them and and like interacted with it. But have I written something in Rust from scratch to achieve something? No, I haven't. Um, that's not to say it's not good or or not, you know, um, not legit. Um, I just haven't spent any time learning Rust and then I wouldn't go to it just because I'm not that familiar with it. So, you know, I think it's uh I think it's valid to check out, but it's not really in my wheelhouse because I'm doing a lot of web stuff as well. Um, don't really need it necessarily, at least not for me dayto-day. Um, let me keep scrolling down. Oh, this is okay. This is a good question from Uday. If I don't have a degree, is it possible to get into offensive security? Uh, recently dropped out from my college due to some personal reasons. So, what I would say is it's definitely possible, 100%. Um, but what I would say is it's probably going to be a little bit harder. So when people ask me questions about ah if I don't have a certification or if I don't have a degree or whatever it is when you apply for a job right you basically set out like a criteria. So in an ideal situation you check every box. So for me I apply for a job um I've got a a degree in like a master's degree. Um I did uh I got like 10 years working in cyber security. I've got a bunch of side projects. Got this that and the other. Um, and the point is is you basically want to try and make your like CV or resume stand out as much as possible. Now, if there's a gap in that, so for example, my undergrad has nothing to do with cyber security. Um, uh, so if I was applying and, uh, I just had my my undergrad degree, um, I would try and then make up for that in some other area or in some other way. So maybe either like a side project or something that can like put me forward or maybe like I did an internship or um maybe I contributed maybe you built a hack the box machine it's on hack the box you know because they you can submit boxes to them maybe you have a bunch of try hackme rooms maybe you got a YouTube channel blogs uh maybe you found some CVE uh maybe you're top 100 bug bounty hunters whatever it might be all of these things kind of like um slot in. So if you don't have something um try and think about what you do have and how you can supplement that as much as possible if that makes sense. Um yeah and I think that's the best way to go. And for sure I would also say if you're struggling a little bit uh because like you get a lot of like auto rejections from HR maybe if you don't have a degree they're just going to be like nope and you maybe don't hit the hiring manager. Uh networking is your friend uh for sure because who you know um can just like get your job just like that easily. Um I think something that I neglected for I don't know the first seven, eight years, seven years of my career. I didn't really do any networking at all. Nobody knew who I was. I didn't know anybody else. I knew the people that I'd worked with, but but that's it. Um and now I've worked with them. you know, obviously they're, you know, good contacts, but I think if you go to conferences, um, especially like like Bides, for example, Bsides have a, um, uh, like a rookie track. So, if you've never done a conference talk before, they take submissions from people who don't have as much experience and want to try giving a talk and you'll meet loads of people, you'll have a talk and then in your interview, you'll be like, "Oh, this is the talk that I gave at Bides." And people will be like, "Ah, cool." You know? So yeah, I think this is this is the thing. It's like um you know a balance between things and how do you get the most out of what you have and just because you're missing something doesn't necessarily mean it's impossible. Um but I would say I think it's a little harder uh for sure if if that's your case. But don't give up hope. I'm confident that if I went back and didn't do a degree uh and didn't do my masters, I could still get a job and work in cyber security for sure. And it's kind of easy for me to say because I have all this like knowledge now, but um I'm confident it could happen. Yeah, it's possible. Do I have experience with Cobalt Strike? A little bit. Yeah. Um I did a bit of red teaming before. Um not a ton. So, but yeah, I've used Cobalt Strike before. It's good. It's expensive. Um yeah, it's it's a nice tool. All right, let me take a couple more questions and we'll start um we'll start uh we'll start today's box. Oo, another one from Uday. Should I go for bug bounty or pen testing? I think this is a personal question. I think pen testing is probably more stable, but I think if you really love bug bouncy, then you should do bug bouncy. But I think if like if you're just between the two and you're like either would be good, I think pentesting is a safer option for sure just because you know full-time job, paid salary and things like this. But there are lots of opportunities in bug bounty. It's just I think um it requires a different mindset, different approach. It's not for everyone just the same as pentesting is not for everyone. So uh so that's it. All right. Um oh uh let me answer one more before we jump into today's box. So how do I manage my time in an engagement? I find myself digging rabbit holes trying to bypass w digging into potential vans and then cramming at the end of my engagement. Yeah, this is um this is a tricky one because I feel like especially with web app pen testing, there's never enough time and I think like the standard approach is like either one week or two weeks for a web app. Doesn't matter what size web app it is, you either get one week or two weeks or maybe if it's you know just a few endpoints maybe you get one day and then you know obviously you got a day for reporting as well. Um so for me I generally prioritize based on um uh if I can try and get in uh a meeting with the developers understand which parts of the application are unique and built by them and which parts are like boilerplate code or or or taken from something else for example. Yeah. If like if they have a WordPress site and they're like, "Okay, we want you to test this. Do all your basic WordPress checks, but then if they've built a custom plug-in, that's what you need to be spending your time on attacking." For example, same as if they have a web app and um they've pushed three new features since their pentest last year. Those three new features are probably the things where you want to spend most of your time. Um if that makes sense. But generally speaking, I tend to go feature by feature. Um, I know some people go bug by bug, like they'll be like, "Okay, I test for XSS everywhere. I test for this everywhere." Um, but I tend to try and go feature by feature and not go too deep. Um, if I don't make any progress within an hour, I tend to move on. Um, unless I have like a really clear like, oh, there's definitely something here. So, I think um, yeah, try setting yourself a timer. That might help. Um, automation definitely helps. Having standard word lists ready to go, having standard fuzz um things that you want to fuzz ready to go definitely helps. Um standard WFT bypasses if you can on pen tests. Um ask them to whitelist your IP and then be like, "Okay, I'm going to test without the W because that's going to speed up my workflow." And then afterwards, we'll redo the same tests and see if we can bypass the W. Because pentest is all about um finding stuff and getting them remediated. It's not like a real world um you're not trying to emulate somebody trying to break in in the real world, right? You're trying to harden the application because you've only got a week. Somebody else might be on a target for years, for example. Um like people do with bug bounties. Some people have targets that they work on week in week out for for many many years and they they always find stuff because, you know, uh they get there eventually. All right. So, let me pop this and then pop over to here and let's take a start on the box. And also, when we get to like a break, we'll, you know, I'll carry on answering questions and and things like this. But, um, we need to make a start otherwise we'll just be answering questions all night, which is fine, but we also need to break stuff, too. So, let's pull open that suite. So, this is going to be more of like a I built this lab, so it's more of a guided, you know, chill session. It's not going to be like me struggling to do some CTF and typoing everything. Um, I've kind of like prepared everything and I'm just going to try and explain stuff as I go along. Hopefully, you guys find it interesting. Um, if you like this format or you prefer this format to the um like CTF boxes or tryh hackme boxes, let me know. Um, let me find my IP address uh of my host so that I can actually connect to my machine then. Uh, yeah. But I think we got quite good feedback. Last time I did like a self-hosted or a CTF that I'd built. Ah, I forgot to fix this. Okay, it really really irritates me that the input boxes like come outside of the um of the the div here. I need to fix this. Um and most of you probably know the reason why is because um a lot of the time uh I use AI to build my front ends to build them like really quickly. Um, so like Bootstrap and things like that and all the CSS I usually like throw it in there for things like um like the PWP exam like I built pretty much everything but like for labs and stuff the front ends I'm just like build me a front end. These are my endpoints. Um and it's you know it's obviously quick. So we've got a couple of demo accounts. We're just going to log in as um Johnacample.com. Jeremy's on holiday, so we've gone with John. Um, and here we have this app. So, it's called like free flow, and it's basically um as a user, you can log in and you can request uh work to be done. And then, as we'll see later, the admins can um uh accept work and then they can do some stuff on the back end. And that in the second step we'll see this server side cross-sight scripting. And um what I want to do first is have a look at the uh user token. So we're going to try and brute force uh a token. So get dashboard come to here. And what I'm going to do is I'm going to take a second. So, we're going to we're going to do this fun thing again where I ask you you all random questions and um we just chill until we get the answer. Um oh, where is Jess? Jess is I don't know. Uh looking after the cats somewhere also on holiday. Um what's up Hamza? How you doing? Um so this this here, what does this get look like to you guys? I mean, it looks like 32 characters in terms of length. It's all lowercase. It's alpha numeric. There's only there's only one thing it could sensibly be. And I'll give you all a second to to think about it. Who's in Iceland? I want to go to Iceland. It's on my uh it's on my bucket list. I used to work with a guy from Iceland and he had a really like serious resting face and um I could never tell when he was joking or not because he had quite a strong accent as well. He'd say things and I'd be like, "What?" And then he'd be like he'll be like, "Oh, I'm joking." And it's like, "Oh, okay." Um here we go. Outlander. Yes, we've got MD5 and a bunch of others as well. So, um I can see JWT in there. but not quite because if it was a JSON web token um we would have two dots and then we'd have like three sections. So we'd have like the header, the payload and the signature like this. So JWTs tend to be a little bit longer, but uh this for sure is uh looks like MD5. And so naturally this isn't the solution, but we can, you know, spin up Hashcat or John the Ripper or something. Um I'm just going to pop it in here. This is like the first thing you do with MD5 like this. And I'll be amazed if this actually cracks it. It doesn't. So, and I know why. So, we can't crack it. We don't know what the data is like that that was used and we don't know what the seed is. So, here what we're actually going to do is we're going to dive into the code. I've got the code running on um my host machine, but uh I pulled it over earlier. So, this is the include used to generate a token. And so we've obviously got this uh generate token function here and it takes in an email address and uh we can see that it creates a con timestamp. So it takes date now and then it creates the payload which is the email that was passed in plus the timestamp and then it creates the token. So crypto.create create hash this algorithm. So it's using MT5 in this case and then we've got update payload and then digest hex. Now I don't actually know what this update function does but um it probably I don't know maybe it like uh encodes it somehow or something like this. Uh and then basically we get an MD5 uh from this and then we got this.validate tokens. So, uh, where's that function? Ah, okay. Validate token. Token return this. So, validate tokens. Don't know. But anyway. Oh, so yeah, here we got validate tokens up here. I was like, where is this function? So basically um validate tokens is a list and then we've got validate tokens set and then it's adding the token and the email to this. So oh sorry it's like a map not a not a list. Not sure what the difference is and then it returns the token here. So security kind of like 101. Um what is the problem with this with this function? I think this is uh this is the question here. If you were reading this, if you were doing code review and you saw this, I think what would you be like ah I mean aside from MD5, let's ignore the fact that it's using MD5. I think in this case using MD5 is not that big of a deal. um just because getting the actual payload and cracking it by using like something like a rainbow uh table or something is going to be very difficult because we've got this uh date now. So I think the actual payload is quite um complex enough to use MD5. But what is the other issue with with this? No filter says. Okay, this is this is an interesting one. I think in this case, because we're not passing anything into a dangerous function, unless there was like a CVE with the crypto.create hash and we're passing in safely, I think we're okay without filtering. I think, don't quote me on that because I haven't looked it up. But, but I don't see like a a dangerous sink here, but that is a good point, and that's not something I thought about. Also, no sanitization. Not quite what we're looking for. Why is this dangerous? Let's see. Yes, you are on the right track. So, not sure, but maybe the fact that it uses seeds that could be known to other people. So, this is it, right? Using date.now Now, instead of a very secure random function as part of your seed to create the hash is a terrible idea. Really, really terrible idea. So, if we either know when somebody logged in um or if we have a time span of when they logged in um what we can potentially do and we know their email. So, if we know these two pieces of information, we can potentially create a list of tokens and then validate one of them. And I think famously what was it um was it like Kasperski password manager or something it was using like datetime for its random seed datetime is not random and most random functions uh so if you like use the Python's random function is pseudo random so it's like guessable because they're like everything comes out to like an average and these things are not um not robust enough to be able to use in cryptography basically. So this is dangerous. So what we can do is to speed things up um we'll we'll use the login time but um we can try and recreate this and we can try and brute force um a a token and this is a this is kind of like a fun exercise and let's do I already created a script for it because I don't want to spend two hours um uh writing this um and then we can just get on with the prek I suppose. So um basically I wrote this script and we it takes in um email time stamp and algorithm uh and then if we come down we've got argu passer this comes in and here we've got this main while loop. So we get the time stamp in milliseconds and then we basically rotate through this. we generate a new token based on that and then um we append the token to the list and then we uh increment the milliseconds and so basically and then we open a file and and and write it to the file like this. So the trick here is that sometimes when um uh when we are using a web app, I just totally lost my train of thought. Um when we're using a web app, sometimes um we can go to something like a user's profile. We might be able to see their information, but we also might be able to see something like their last logged in. So, for example, I've seen old web apps where um people have like a last logged in or last active date or we could maybe wait for uh if it's like a forum or something, uh we could monitor them. Um we could write a script that then as soon as the user comes like their status changes to online, we could take that timing down. Now, we're going to kind of like fake this a little bit. So, what we're actually going to do is log out. We're going to log in as the admin just so that the admin has a valid token. And then um it's now 1740 in England. And so what I'm going to do is um Python 3 generate tokens.py and then do dash time 1740. I'm going to do a window of 1 minute either side. So this is going to basically take everything from um 1739 to 1741. And then the other part of the token is the email. So we need admin at uh it's freeflow.com like this. And then we need the algorithm if I can spell algorithm. This is probably the most difficult part of this attack. Like this. So, it's generated all the tokens and it generated 120,000 tokens because date uh date now includes milliseconds. And so, of course, if we only knew the day, then this would be a lot more tokens. And this stack might even be, you know, much more difficult to to pull off. But in this case, um uh 100 if we can get to the minute or within 3 minutes, uh this is reasonable. 12,000 tokens isn't too crazy. Uh if that makes sense. And uh we can just double check this. Whoops. Yeah, like this. Ah, we've got tokens. I was like, why did that not autocomplete? But the tokens js file is the um you know the the code that we just reviewed. So hopefully this doesn't crash beep suites. And what I'm going to do is uh let's see who is this. Is this Let me submit this. Let's render this quickly. Okay. So, this is John's account currently. And what I'm going to do is I'm going to send this to Intruder. And then Oh, it auto. Does it usually do that? Oh, yeah, it does. Maybe I highlighted it. Not sure. Um, and then it's also highlighted our token. I suppose there's nothing else. I mean, maybe we're fuzzing for this. And then what we're going to do is come to payloads and we're going to load in tokens.txt. Oh, we've got I've got this on on screen. Sorry. Whoops. Um, hopefully you can see everything. So, these are all the tokens, all 120,000 of them. Um, I'm surprised Burpuite didn't crash because usually when you load in uh like a huge word list, it just freezes up. Um, and then fingers crossed we should be good and we'll we'll give it a little bit of time to run. Now, because I'm running this locally and this this app is running on my host, um, obviously like this would probably take a few hours over the internet, but you know what's a few hours? Like you you could leave it running overnight for example. Um as long as you haven't got something like Cloudflare like clapping you. Brute forcing is not such a big deal. Uh depend depends on your target and the situation. All right let me while that's running let me check in um with the chat see how you guys are doing. Ooh. Career change from business developer and data analyst to cyber security. Yeah, I think so. Like if people who have uh who are completely new to the industry can break in if you're bringing a load of skills like data analysis and some other stuff across then yeah of course of course it's possible. I think from from my perspective cyber security can be taught anybody can learn cyber security. I think the other part that we can't really teach is like attitude, mindset, um you know, going for the right opportunities and and and things like that. There's a lot of stuff that is kind of like outside of our control as as teachers, but I'm pretty sure I could teach cyber security to almost anyone uh who is like willing to learn. All right, so our initial payload, this is John's token, um came back with a length of 1552. And then we also got another token here which was length 1557. So I'm going to copy this. And then what we'll do is I think we'll just come back to the browser. I'm going to go F12. And then here we have this O token. I'm just going to replace the O token in the browser. And then I'm just going to hit refresh. And now we're logged in as the admin. Huzzah. Easy peasy lemon squeezy. Um and this is the first like uh you know step to uh to breaking this web app is escalating our privileges. So I think what the key thing here is is if you ever do like code review and you look at how tokens this is like a simple example um uh but uh I've seen this in the past where like applications will use the date timestamps uh as part of like token generation for example. As soon as you see this and there's like nothing inside here that we can't like either somewhat guess or like guess with brute force the token is definitely like weak and and brute forcable for sure. So you got to think be like is there something in there that I could never guess? If there is, you know, if it's like a 32 character completely random um uh thing, then yeah, like it's it's secure. But um but if it's if it's something like this um then uh then we can easily brute force it if that makes sense. All right, let me answer a couple of questions uh and then we'll we'll crack on to the main the main thing for for today. Can I recommend the best books in cyber security? Uh I have a couple on my desk. I think if you want to do web app pen testing, let me change my screen. This is your this is the best the best book for web app pen testing. Here we go. the web application hackers handbook. Honestly, I've read it through once um and then I've reread some chapters and okay, it's not like, you know, super modern attacks and things like that, but it's really like fundamental stuff and really like mindset and and how to attack systems and and honestly I it's really relevant. Um for sure like old but gold. Um, I think you know there's stuff in here like there's like null bite injection and stuff which you know I'm never going to test null bite injection against a modern application. Maybe I should maybe I'll get lucky one day. But um uh even stuff like that it kind of it's a good case study for your for your mind and for the future as well. So learning from old stuff is really really important. I would say if you're in like if you want to do network pen testing obviously the web application hackers handbook is not um not as relevant but um but yeah this is a really um a really really good one. Um let's see what else we've got. Oh share the script. Uh yeah let me is there an easy way I can share this? Let me pop this into um I will create a code share very quickly. Uh and then I'll just drop the link into the chat. That's the uh I mean it's only really set up for this target, but obviously you could use like modify the scripts and and use it against other things. Um let me share this. copy uh and then paste. There we go. The script is in the chat. So, all good. Oh, look who turned up. Just just in time for for today's main topic, which I pinged I pinged you earlier like um being like come come join this this live stream because uh web app surfing and boulders. Yeah. And cats. That's pretty much my life. Um, which also reminds me, I need to print off more stickers for Defcon, which I'm going to add that to my to-do list before I forget. Uh, because otherwise I'm not going to get them in time and then we're we're all good. Oh, you got five minutes, Max. Uh, okay. Well, at least at least we're being recorded, so um you know um you can have a look later. I'll I'll ping you the app anyway in the payloads I think you'll find interesting. Um all right let's see what else have we got. Let's move on to the next part. Okay. So let me change my screen again. Here we go. So today um if we come to the admin dashboard actually let's create um submit a new job. So, we're going to submit a new job. Um, and cheese is the best thing I have ever eaten. So, basically the point behind this app is that users can submit jobs to um the administrators. The administrators can then um take it and then accept it. And uh it's kind of like a uh service request application. So we can submit this. Obviously I'm submitting this as the admin. That doesn't matter too much. Um the point is when we come to the admin dashboard, we have the application here. And we can see this. And so um did I just copied and pasted something? Oh yeah, I'm going to put something into the chat in a sec. Um so here as an admin what I can do is I can accept this job request and then its status is in progress and then when we view it we can see that we can convert this job request to PDF and this is like pretty normal when you submit like um a request for something you might get an invoice you might get something else whatever it might be um and then we have this service where you can convert to PDF and then you can download the PDF. And then Chrome's going to be like, "Oh, my face is in the way." Uh, Chrome's going to be like, "Ah, PDFs are dangerous, but we're going to keep it anyway." And we're just going to open it up. And you can see that, you know, this is converted to PDF. Now, I've just dropped a uh link in the chat. So, this uh application, this CTF is based on a talk from last week that I saw. So, I went to the OASP London meetup and um I'm really sorry I'm going to say the name wrong, but Balaz Books say um he even told me how to say his name and I've I've completely forgotten um did a talk on um serverside cross-ite scripting. So, usually um when we have cross-sight scripting uh it's not cross-ite scripting, ignore me. um when we have um SSRF server side request forgery we'll have something like this. So we'll have like um post and it'll be like or like uh let's say get and we'll be like convert and it'll be like okay we're passing um content type application JSON and it'll be like this is our payload and our URL is going to be like http internal.ct CTF dot something slash all the flags. Right? So this is our typical serverside request forgery. And what we can also do is like we can see like um metadata endpoints like so if we if we're on AWS uh I always forget it. It's like 169254 169254. Um, and we can access metadata endpoints and and steal stuff uh from there and compromise cloud environments. Obviously, if you're using the new um uh uh the new metadata endpoint, then you have to send a request, you have to get the token, and then you have to include the the token in the request, which pretty much almost nullifies this unless you have like full control, and you can send um post requests, read the response, which usually you can't do in JavaScript, and then um grab the token and then resend the request. So um this is that's our like classic way but another way of doing this is to um get serverside request forgery via cross- site scripting. So when I send this payload here um cheese is the best thing I've ever eaten. What I can try and do is either insert some uh JavaScript or HTML inside this to try and achieve um uh serverside request forgery via something like XSS. So, what I've done is I've created like a a fake um uh I'm just going to put in some like boilerplate code so we can see what's going on. Um a fake EC2 endpoint. And this is the point of like the the CTF. So depending on um the converter. So what we're doing here is we're communicating with a headless Chrome browser and uh we're going to try and like pop cross-ite scripting inside the headless Chrome browser that's running in a container and then from that we can then try and access the EC2 endpoint and read the data. Now spoiler alert, this first one isn't going to work. So if we do something like fake EC2, um it's running on 9,000 I think. Uh yeah, that should work. They're on they're running on the same network. Um and then we do something like dot then and then uh like this. Um and then R.ext and then data. Whoops, I can't type today. uh fetch and then what we're going to try and do is um exfiltrate it to uh our local web server. So this is like a typical um uh cross-ite scripting payload something like this um like a intermediate um cross-ite scripting payload. Uh so we close and then we need Okay. Uh, and what we're gonna do is we're going to try what's my IP address. [Music] This one. And then we'll just do Python 3-m http.server. And let's do like 9,01 like this. And we're just going to try and excfiltrate the data to this. So if I copy this, I update the content, convert to PDF, and then that should trigger already because it's happening inside of the container. So when we can uh trigger the conversion, when it loads in the JavaScript, it's going to make this request and then it's going to try and do it. And then we haven't written anything to the page. So we should just see the start and end. And oh, we just ah I'm an idiot. Hold on. script. Don't forget your script tags, Alex. Update this. But I don't think we're going to see anything unless I've configured if we configure the Chrome browser to be like allow. No, I don't think we can actually. Depends on the cause policy. Um, but you can see we have start and ends. And then we can also see that we don't have any request coming into here. So this is one of the things with if we have some data we can exfiltrate it using JavaScript but we can't read the response and this is the a problem that we um run into quite a lot. Um and we can also try things. So for example if the Chromium browser was um uh had local file read so I can't remember the flag. It's like allow d-allow local file read. We could maybe potentially do like something like this, but again, we can't see it. So, instead of um using JavaScript here, which sometimes this will work. Uh so, it's something to to think about. Um what we can do is just use good old HTML. So here I'm just going to do iframe source equals http col slash and do fake- ec2. Uh I think it's running on 9,000. It might not be. We might have to do some troubleshooting. And then make sure that we can actually see it. So let's do width um I don't know 500 px 500 px like this. and then close the I frame like this. And then hopefully when we do this and then convert and then download, you can see that we have the contents of this file. So this is the point of um of today's lab is that we can get serverside request forgery via things like HTML uh XSS maybe even CSS if we're like loading images. I think it's possible. Um I don't think we can as as far as I'm aware I could be wrong. I don't think we can fetch text with CSS and then read the response and output it to the page, but we might be able to do something crazy like um maybe steal images and then set like uh a background image or uh do something based on something that comes back. Not sure. Um but there's ways and there's also ways to scan networks um internal networks using using this technique as well. So we can use JavaScript for example to um uh to send a request to something and then based on the response we can be like ah okay that endpoint doesn't exist or or does exist. Um so for example let me let me try this one again. Uh so if we do let's keep this and then we'll do another start or end here like this. Um if I do something like uh scripts slashcripts ah can't type and then we do fetch and we do something like um http slash localhost 1 2 3 4 and then we do something like uh uh text like whoops test uh like this and then we do something like data uh document dot write uh so uh we don't even need the pre let's just do data like this and then if we do dot then catch oops no dot then catch catch um error and then we can do document write uh the error like this. So what's going to happen here is hopefully um we'll see an error come out. So if this endpoint doesn't exist then we'll get an error and if it does exist we can't read the response anyway and so um this is a way of finding out whether an endpoint is there and then even if we can't read the response we could maybe potentially start attacking it. So let's grab that download the PDF. Yeah. So we get failed to fetch. So this means that obviously um the uh local host 1 2 3 4 doesn't exist. And then if we put in like for example this fake EC2 endpoints update this contents convert. obviously would script this and like you know speed up speed it up or we could put lots of checks in one in one. Oh, we still got failed to fetch. Okay, that doesn't make sense. That wasn't supposed to happen. Uh what have I done wrong here? The output should be different. because one of them should return and then just not write to any data and then one of them should actually cause like a legit error. Not sure. Anyway, I've probably typoed something or done something wrong, but this is like the theory is that if we can elicit like a different response, then maybe we can scan networks by doing this. That makes sense. Cool. But that's the um that's the point of this lab is that we can get um serverside request forgery sometimes via JavaScript, sometimes via um HTML injection, sometimes we can get local file read. not in this case because I haven't configured Chrome uh that way. Um but we can just update this with our payload and then do the conversion and then the headless browser that's running in a container is going to do the work for us. So what I would say is it's kind of risky to run um a headless browser in a container. Um and this one is uh the repository I used. So I I literally just spun this up from from here. Um this is the same from the talk that um we put in the chat. So it's the same uh repository. And I think there's a warning somewhere saying Oh yeah. Is this the right one? I'm sure this is the one I used. Or is it a different one? This might be a different one. Hold on. Let me find which one I actually used in the end cuz I tested a bunch this morning. And give me a second. Is it this one? Oh, yeah. I think it's this one. I think I I don't know. Don't take me at my word. I tested like five or six of these this morning. I can't remember. Oh, yeah. This one has the security note. So this is intended to run as a microservices service. So don't directly expose it to the internet. And I think the main point is here that yeah even if we don't directly connect it and maybe we can sneak in a payload somebody else runs it. There are loads of situations where we may be able to get access to this maybe even via just normal SSRF for example um as an external user. So this is kind of dangerous. Um, not sure how many projects this is used on, but um, you know, um, but yeah, I just copied and pasted and spun it up using the um, uh, uh, oh, not that one. There's a Docker Docker compose file somewhere. Can't remember where it is, but Oh, there we go. Yeah, here we are. So, docker compose and just use that to spin it up. So anyway, yeah, that's the main thing. And um yeah, getting serverside cross- sight scripting can be an interesting alternative to basically um a I closed it down. So basically like our classic server side request forgery, which is just, you know, where we see a HTTP request and um it has like a URL in the body. In this case, we can obviously send our payloads in loads of different ways. All right, let me switch um back to the chat. Yeah, just in case you didn't see it before. Um so the link to um the original talk which this is based on. Um and they goes into a lot more depth and like there's loads of different types of payloads. There's loads of like local file read and some other interesting things to look at. Um definitely check it out. Uh it was a really good night. So uh and if you have an OASP chapter near you, um go to the meetups like I was talking about before. Um, you know, it's really important to do things like networking can open a lot of doors for you. Um, and uh, yeah, the OASP London chapter is always uh, really, really good fun. And there's always pizza, at least at the London one. Um, there's always pizza and beer, which you know, I appreciate. So, um, so it's all good. All right, let me answer a few more questions then. See how we're doing. Let's see. Okay, I can see 50 50 pinned questions. So, let's answer like five more before we uh before we wrap up um for today. So, I'm going to scroll down and see. Okay, interesting and controversial question. Let's go with the hard ones. So, will degrees become more and more important in the future? I think like degrees will always have their place for sure. Um, I don't see them going away anywhere or like particularly changing. I know with like the rise of the tech industry, um it's been a bit of a bubble for quite a long time now. Um so maybe I think generally speaking within the tech industry, it's very useful to have a degree. Most companies expect it. I don't think that I think it'll stay the same. That's that's that's what I think. I think degrees are useful and they're going to be useful for a long time. That's that's my that's my hot take is that um I don't see it changing anytime soon. Uh for sure. I think that's the the interesting one. Um it's probably not a very interesting answer, but that's that's yeah, that's what I think. Um let me keep scrolling down. Uh what about AI in cyber security? Um, I mean, just like with everything else, I think, um, use AI to make yourself more productive. Don't over rely on it. Uh, I think that's the biggest thing is over reliance and, um, overconfidence. So, even when I'm using AI, um, daytoday, um, it doesn't get everything right. Um, it makes mistakes. things are, you know, it doesn't give me what I what I need or I have to debug and troubleshoot if I'm writing some code uh and things like this. So, you know, it's a great tool. Use it as a tool and you know, and that's it. And a lot of people I think like um I saw a YouTube video titled AI is going to replace sock or something like this. AI has been in sock tools for such a long time like even like I was working um uh in uh in a role years and years ago and um we were using tools that had AI in it. It had like behavioral detection and and all sorts of stuff and it's like it's been there for such a long time that was like you know we we were talking about AI and sock tools like 10 years ago. So you know is it any different now? our large language models any better than what sock tools have already uh managed to to use over the last 10 years? I don't think so. So all so much hype. Um good tools, use them responsibly. Don't go like nothing is a silver bullet otherwise you know. Yeah that's that's my my hot take is um make the most out of the tools that you've got at your disposal. And I think that's that's it. Uh let me keep scrolling down. So [Music] Oh, interesting question. So, what type of penetration testing is good automation based or manually? So, this kind of depends what you're trying to achieve really. Um, they both have their place. So, we obviously do a lot of automation when we're working at scale. We also do a lot of automation if you're like um if you're an AppSac team and you're delivering like um updates like every week for example or you're being you know really quick to push features to the market, automation is really important. uh manual testing you can go much deeper or you can cover uh things that are much more um uh like yeah I think I think the the right word is you can go deeper or you can go more complex. You can chain issues. You can look at things that like maybe aren't vulnerability or exploitable themselves but you can chain that with other things to achieve exploitation. um both of them are legit and both of them have useful uh applications. So I think you know whichever one you prefer that's great and just make sure you try and balance out your skills. If you're really good at manual testing um lean more into automation to make sure you're well balanced and if you're really good at automation make sure you do a little bit of manual testing to make sure that you just don't have a weakness. I think that's the that's the trick. Um Oh, why not Cali? Yeah, I I mean for web app pen testing, you literally need one tool and that's like Okay, two tools, your web browser and arguably a proxy and that's it. So, you don't need a special operating system for two tools. I mean, that's it. So, I just, you know, it's much easier just to have my own stuff and and and I'm good to go. I think like if I was network pentesting, I'd use Cali a lot more. And I do use Cali like for sure, but um it's just overkill for for web app pentesting. Like it's just not necessary. And uh yeah, that's that's the reason I think. Um and you know me, I like to do web stuff. So as much as possible pigeon hole myself into this uh into this small narrow field. Um let me keep scrolling down. Ah this is okay. Cool request. Good name. Um it' be cool to see you work through a little beginner API testing. Yeah, we haven't done this in a while. Um and I have a bunch of boxes that we could probably go through. So, um, next time I stream, which will probably be, uh, let me see what's the date. So, next week, I think we'll probably have Prince or Bellini on, and then the week after that, I'm at Defcon. So, in 3 weeks when I'm in, so I'm probably streaming on the 13th, uh, we'll do some API stuff. I will do my best to remember, and we'll we'll do some, uh, we'll do a bunch of API pen testing. Um, so that'll be fun because I love APIs and we're all good. Um, let's answer one more question. [Music] Um, oh, what is bit chat? There's a question about pitch. I haven't heard of this. I don't know what it is. Hold on. I'm I'm googling what this is. Is it like signal decentralized peer-to-peer messaging app? uh works over Bluetooth uh mesh networks. No internet required. How do you send messages when you have no internet? What is this? So, this is what I'm looking at at the moment. Maybe this is Is this the right thing? Oh, hold on. Let me swap swap my screens. This thing. Is this what we're looking at? I haven't looked at it, but looks like a nice application to do some code review. So, um, so yeah, that could be fun. But yeah, I've I've not heard of, um, I've not I've not used this. I do have Signal, but I I don't use that often. I just basically use WhatsApp like everybody else in the UK. Um, I have a few others installed for, you know, friends who are abroad and things like that, depending on where you are in the world. Um, but yeah. Ah, Bluetooth limited range. Okay. Ah, I see. So, the messaging goes over Bluetooth, not um via the internet. Got it. I understand. Um, cool. All right. I think that's it for today. So, yeah, if you want some live web app training, there's the link going Oh, it's right on screen now. I can follow it like this. Um, have a look at the web app live. Um otherwise, um the box that I did today, um there's some changes I want to make and some things I want to tweak on it to make it a little bit smoother and also demonstrate some but demonstrate some stuff uh some other stuff. Um but by the time I stream on the 13th, uh it should be up on my GitHub. Uh fingers crossed. So if you want to take a look at it at some point, it'll be up in a few weeks. Um like I say, I want to fix a bunch of things first. Um I just got it up and running for today's live stream. Um, and I don't think I have anything else uh to share. That's it. So, have a great rest of the day everybody. Um, work hard, be kind to each other, um, you know, all that good stuff. And I will catch you all next time. Thanks, everyone.

Original Description

https://www.tcm.rocks/livewebapp-y - Attend Alex's live web app training starts latear this month! This 4-day session (spread across 4 weeks) will prepare you for a rewarding career as a web app pentester. No prior hacking experience? You don't need it for this in-depth training. You'll also receive a PWPA and PWPP voucher when you sign up! Follow along with Alex Olsen as he does some web app hacking in this recorded livestream! Subscribe to the TCM Security channel so you never miss when we go live in the future. #appsec #pentesting #cybersecurity #thecybermentor #bugbounty Sponsor a Video: https://www.tcm.rocks/Sponsors Pentests & Security Consulting: https://tcm-sec.com Get Trained: https://academy.tcm-sec.com Get Certified: https://certifications.tcm-sec.com Merch: https://merch.tcm-sec.com 📱Social Media📱 ___________________________________________ X: https://x.com/TCMSecurity Twitch: https://www.twitch.tv/thecybermentor Instagram: https://www.instagram.com/tcmsecurity/ LinkedIn: https://www.linkedin.com/company/tcm-security-inc/ TikTok: https://www.tiktok.com/@tcmsecurity Discord: https://discord.gg/tcm Facebook: https://www.facebook.com/tcmsecure Hacker Books: Penetration Testing: A Hands-On Introduction to Hacking: https://amzn.to/31GN7iX The Hacker Playbook 3: https://amzn.to/34XkIY2 Hacking: The Art of Exploitation: https://amzn.to/2VchDyL The Web Application Hacker's Handbook: https://amzn.to/30Fj21S Real-World Bug Hunting: A Field Guide to Web Hacking: https://amzn.to/2V9srOe Linux Basics for Hackers: https://amzn.to/34WvcXP Python Crash Course, 2nd Edition: https://amzn.to/30gINu0 Violent Python: https://amzn.to/2QoGoJn Black Hat Python: https://amzn.to/2V9GpQk My Build: lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1 EVGA 2080TI: https://amzn.to/30d2lj7 MSI Z390 MotherBoard: https://amzn.to/30eu5TL Intel 9700K: https://amzn.to/2M7hM2p G.SKILL 32GB DDR4 RAM: https://a
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from The Cyber Mentor · The Cyber Mentor · 0 of 60

← Previous Next →
1 Buffer Overflows Made Easy - Part 1: Introduction
Buffer Overflows Made Easy - Part 1: Introduction
The Cyber Mentor
2 Buffer Overflows Made Easy - Part 2: Spiking
Buffer Overflows Made Easy - Part 2: Spiking
The Cyber Mentor
3 Buffer Overflows Made Easy - Part 3: Fuzzing
Buffer Overflows Made Easy - Part 3: Fuzzing
The Cyber Mentor
4 Buffer Overflows Made Easy - Part 4: Finding the Offset
Buffer Overflows Made Easy - Part 4: Finding the Offset
The Cyber Mentor
5 Buffer Overflows Made Easy - Part 5: Overwriting the EIP
Buffer Overflows Made Easy - Part 5: Overwriting the EIP
The Cyber Mentor
6 Buffer Overflows Made Easy - Part 6: Finding Bad Characters
Buffer Overflows Made Easy - Part 6: Finding Bad Characters
The Cyber Mentor
7 Buffer Overflows Made Easy - Part 7: Finding the Right Module
Buffer Overflows Made Easy - Part 7: Finding the Right Module
The Cyber Mentor
8 Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
Buffer Overflows Made Easy - Part 8: Generating Shellcode and Gaining Shells
The Cyber Mentor
9 HackTheBox - Sunday Walkthrough (Re-Up)
HackTheBox - Sunday Walkthrough (Re-Up)
The Cyber Mentor
10 Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
Networking for Ethical Hackers - TCP, UDP, and the Three-Way Handshake (Re-Up)
The Cyber Mentor
11 Networking for Ethical Hackers - Network Subnetting (Re-Up)
Networking for Ethical Hackers - Network Subnetting (Re-Up)
The Cyber Mentor
12 Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
Networking for Ethical Hackers - Network Subnetting Part 2: The Challenge (Re-Up)
The Cyber Mentor
13 Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
Networking for Ethical Hackers - Building A Basic Network with Cisco Packet Tracer (Re-Up)
The Cyber Mentor
14 HackTheBox - Fighter Walkthrough (Re-Up)
HackTheBox - Fighter Walkthrough (Re-Up)
The Cyber Mentor
15 Beginner Linux for Ethical Hackers - Navigating the File System
Beginner Linux for Ethical Hackers - Navigating the File System
The Cyber Mentor
16 Beginner Linux for Ethical Hackers - Users and Privileges
Beginner Linux for Ethical Hackers - Users and Privileges
The Cyber Mentor
17 Beginner Linux for Ethical Hackers - Common Network Commands
Beginner Linux for Ethical Hackers - Common Network Commands
The Cyber Mentor
18 Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
Beginner Linux for Ethical Hackers - Viewing, Creating, and Editing Files
The Cyber Mentor
19 Beginner Linux for Ethical Hackers - Controlling Kali Services
Beginner Linux for Ethical Hackers - Controlling Kali Services
The Cyber Mentor
20 Beginner Linux for Ethical Hackers - Scripting with Bash
Beginner Linux for Ethical Hackers - Scripting with Bash
The Cyber Mentor
21 Beginner Linux for Ethical Hackers - Installing and Updating Tools
Beginner Linux for Ethical Hackers - Installing and Updating Tools
The Cyber Mentor
22 Cracking Linux Password Hashes with Hashcat
Cracking Linux Password Hashes with Hashcat
The Cyber Mentor
23 Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
Reminder: Twitch Hacking Live Stream Tonight! 2/26/19 at 8PM EST
The Cyber Mentor
24 Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
Hacking Live Stream: Episode 1 - Kioptrix Level 1, HackTheBox Jerry, and Career Q&A / AMA
The Cyber Mentor
25 Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
Hacking Live Stream: Episode 2 - HackTheBox Active, Vulnserver Buffer Overflow, and Career Q&A / AMA
The Cyber Mentor
26 Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
Hacking Live Stream: Episode 3 - Hack The Box Blue, Devel, and Career Q&A / AMA
The Cyber Mentor
27 New Zero to Hero Pentest Course, New Website, and 2K Subs?!
New Zero to Hero Pentest Course, New Website, and 2K Subs?!
The Cyber Mentor
28 Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
Zero to Hero Pentesting: Episode 1 - Course Introduction, Notekeeping, Introductory Linux, and AMA
The Cyber Mentor
29 Zero to Hero Pentesting: Episode 2 - Python 101
Zero to Hero Pentesting: Episode 2 - Python 101
The Cyber Mentor
30 Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
Zero to Hero Pentesting: Episode 3 - Python 102, Building a Terrible Port Scanner, and a Giveaway
The Cyber Mentor
31 Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
Zero to Hero Pentesting: Episode 4 - Five Phases of Hacking + Passive OSINT
The Cyber Mentor
32 Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
Zero to Hero Pentesting: Episode 5 - Scanning Tools (Nmap, Nessus, BurpSuite, etc.) & Tactics
The Cyber Mentor
33 Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
Zero to Hero Pentesting: Episode 6 - Enumeration (Kioptrix & Hack The Box)
The Cyber Mentor
34 Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
Zero to Hero Pentesting: Episode 7 - Exploitation, Shells, and Some Credential Stuffing
The Cyber Mentor
35 Installing Windows Server 2016 on VMWare in 5 Minutes
Installing Windows Server 2016 on VMWare in 5 Minutes
The Cyber Mentor
36 Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
Zero to Hero: Week 8 - Building an AD Lab, LLMNR Poisoning, and NTLMv2 Cracking with Hashcat
The Cyber Mentor
37 A Day in the Life of an Ethical Hacker / Penetration Tester
A Day in the Life of an Ethical Hacker / Penetration Tester
The Cyber Mentor
38 Active Directory Exploitation - LLMNR/NBT-NS Poisoning
Active Directory Exploitation - LLMNR/NBT-NS Poisoning
The Cyber Mentor
39 Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
Zero to Hero: Week 9 - NTLM Relay, Token Impersonation, Pass the Hash, PsExec, and more
The Cyber Mentor
40 Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
Zero to Hero: Episode 10 - MS17-010/EternalBlue, GPP/cPasswords, and Kerberoasting
The Cyber Mentor
41 Writing a Pentest Report
Writing a Pentest Report
The Cyber Mentor
42 Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
Zero to Hero: Week 11 - File Transfers, Pivoting, and Reporting Writing
The Cyber Mentor
43 The Complete Linux for Ethical Hackers Course for 2019
The Complete Linux for Ethical Hackers Course for 2019
The Cyber Mentor
44 Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
Full Ethical Hacking Course - Beginner Network Penetration Testing (2019)
The Cyber Mentor
45 Popping a Shell with SMB Relay and Empire
Popping a Shell with SMB Relay and Empire
The Cyber Mentor
46 Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
Pentesting for n00bs: Episode 1 - Legacy (hackthebox)
The Cyber Mentor
47 Pentesting for n00bs: Episode 2 - Lame
Pentesting for n00bs: Episode 2 - Lame
The Cyber Mentor
48 Pentesting for n00bs: Episode 3 - Blue
Pentesting for n00bs: Episode 3 - Blue
The Cyber Mentor
49 Web App Testing: Episode 1 - Enumeration
Web App Testing: Episode 1 - Enumeration
The Cyber Mentor
50 Pentesting for n00bs: Episode 4 - Devel
Pentesting for n00bs: Episode 4 - Devel
The Cyber Mentor
51 Pentesting for n00bs: Episode 5 - Jerry
Pentesting for n00bs: Episode 5 - Jerry
The Cyber Mentor
52 Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
Web App Testing: Episode 2 - Enumeration, XSS, and UI Bypassing
The Cyber Mentor
53 Pentesting for n00bs: Episode 6 - Nibbles
Pentesting for n00bs: Episode 6 - Nibbles
The Cyber Mentor
54 Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
Web App Testing: Episode 3 - XSS, SQL Injection, and Broken Access Control
The Cyber Mentor
55 How NOT to Approach a Cybersecurity Mentor
How NOT to Approach a Cybersecurity Mentor
The Cyber Mentor
56 Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
Web App Testing: Episode 4 - XXE, Input Validation, Broken Access Control, and More XSS
The Cyber Mentor
57 Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
Pentesting for n00bs: Episode 7 - Optimum (hackthebox)
The Cyber Mentor
58 Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
Pentesting for n00bs: Episode 8 - Bashed (hackthebox)
The Cyber Mentor
59 Pentesting for n00bs: Episode 9 - Grandpa
Pentesting for n00bs: Episode 9 - Grandpa
The Cyber Mentor
60 Top 5 Internal Pentesting Methods
Top 5 Internal Pentesting Methods
The Cyber Mentor

The video provides an introduction to web hacking, pentesting, and cybersecurity, with a focus on web application security and bug bounty hunting. Viewers can learn about the basics of pentesting and how to prepare for a career in web app pentesting.

Key Takeaways
  1. Learn the basics of web application security
  2. Understand pentesting concepts and tools
  3. Prepare for a career in web app pentesting
  4. Use Python and other hacking frameworks for security analysis
  5. Participate in bug bounty hunting
💡 Web application security is a critical aspect of cybersecurity, and pentesting is an essential skill for identifying vulnerabilities and protecting against threats.

Related Reads

📰
SOC 2 CC7.1: What Auditors Actually Ask For in Vulnerability Management
Learn what auditors ask for in vulnerability management during a SOC 2 Type II audit and how to prepare
Dev.to · PatchVex
📰
Dawnguard Raises $6.3M Led by BNVT Capital as AI-Code Vulnerabilities Jump 13x in a Quarter
Dawnguard raises $6.3M to automate secure cloud architecture as AI-code vulnerabilities increase 13x in a quarter, learn how to secure your cloud infrastructure
Hackernoon
📰
Firebase PWA Security Audit: XSS via innerHTML, Hardcoded Credentials and a Custom Token Migration
Learn to identify and fix 3 critical security vulnerabilities in a Firebase PWA, including XSS via innerHTML and hardcoded credentials
Dev.to · Andrea Roversi
📰
Outil de Cybersécurité du Jour - Jul 2, 2026
Learn to use Wireshark for network security analysis and improve your cybersecurity skills
Dev.to · CyberMaîtrise CyberMaîtrise
Up next
Surfshark Review — The Honest Pros, Cons and Final Verdict (2026)
Tutorial Stack
Watch →